Watch On-Demand | MFA Unwrapped: Breaking Down Authentication Silos

Introducing Bravura OneAuth

Eliminate the Security Risk of Legacy MFA with True Passwordless Authentication

Legacy multi-factor authentication has failed. CISA and OMB have issued directives that organizations should move to phishing-resistant MFA. As organizations deploy passwordless authentication to improve security and user experience, they must consider change management challenges.

Watch Ian Reay, VP of Engineering at Bravura Security, and Michael Rothschild, VP of Product Marketing at HYPR, as they discuss how to break down silos and best practices for moving toward passwordless authentication.

They cover:

Key considerations when moving to passwordless authentication
How to avoid the pitfalls of going passwordless
Ways to improve security while remaining flexible
How to identify silos that may hinder change management efforts
Why it’s in an organization’s best interest to separate authentication from identity

Bravura Security has partnered with HYPR to deliver a true passwordless future with Bravura OneAuth. The joint solution allows organizations to bridge the gap between comprehensive security and a painless way for employees to connect to the resources they need. Contact one of our security experts to learn more.

Review the Full Session Transcript

No time to watch the session? No problem. Take a read through the session transcript.

Speakers:

Ian Reay, VP of Engineering at Bravura Security
Michael Rothschild, VP of Product Marketing at HYPR

Michael Rothschild (00:12):

And hello everyone. We're going to get started in just a couple of minutes, just letting everybody come on into the webinar and we'll get started in about a minute or so. Thanks for joining. Okay, we'll give people about another 30 seconds to join.

Michael Rothschild (01:37):

Okay, we're going to get started. Thank you everybody for joining today. Really happy to have you with us, whether you're on the live version or the recorded version. So obviously for those of you that are on the live version right now, we will make this available afterwards. We are recording at this point, so if you've missed any portion of this, if you'd like to get more information, if you want to share with a colleague, please do so. We have an exciting topic today around multifactor authentication, unwrapped, breaking down authentication silos. We're really going to talk about this notion of silos today, and I'm joined by Ian, who is from Bravura Security. This is a joint webinar between us and we really look forward to bringing you through this. If you have any questions, please just put it in the chat and we'll get to that at the end. We'll go through all of our material first, but we've allotted a significant amount of time for any questions that perhaps we can answer for you. So at any time, you can put that right in the QA box and we'll get to 'em at the end.

Michael Rothschild (02:47):

In terms of what we'll be presenting today, Ian and I are going to go through a bunch of topics around multifactor authentication around the idea of silos. We'll talk specifically about on the authentication side that perhaps now you're considering moving to passwordless authentication. We'll talk a little bit about some of the things you need to watch out for some of the tips and tricks of it. And we'll also share with you some of the ways to avoid some of the pitfalls of when you do go passwordless, it should be a smooth process, and we're going to help you ensure that that in fact happens. We talk about security so frequently, and one of the things we can say, if you've been in security for any period of time, we know that security and or the threat matrix, the threat surface always changes. We'll talk about how you can remain flexible.

So while you're solving all of your problems today, it's also a matter of being forward compatible to what's happening next, whether it's a threat matrix, whether your business model changes. We'll spend some time on that. We're going to talk about the age old story of silos, and we know from so many other security areas that one of the most dangerous things or perhaps non-efficient things is to operate in silos. We know that very often attacks can get past a siloed thing. It just simply falls through the cracks. So we'll be spending some time on that. And then finally, we'll also be talking about how you can separate authentication from identity, why you might want to consider this and what some of the benefits are, as well as what some of the tips and tricks are. So Ian, really pleased that you're joining us today, and we'll go through this.

So just really kind of set the stage. One of the things that we've learned about, and I just put up the timeline of some of the major attacks in 2022, traditional multifactor authentication has failed. MFA was supposed to be the big story to ensure that when you authenticate to something that people can't just steal your password, people can't just bypass authentications, but there are so many instances of multifactor authentication where you're using something, you know, something you have perhaps you're using one-time passwords. All of this stuff we've seen this year can be breached. And there are some examples up here that we can talk about where there have been real cases where even one-time passwords have been breached and that number continues to grow. This certainly isn't all of the breaches that are out there. I just ran it through September and certainly we can add more in October and November.

They continue to expand, they continue to be the point of entry or the attack vector for many other attacks that we're seeing today. These types of attacks are happening, and once somebody can get in, there is that notion of a lateral move over to other areas of the network. So keeping in mind that hacker or an attack only has to be right once we as security people have to be right every single time. So that one simple case might be the case where you get hacked. So obviously we're not trying to decry, the sky is falling, but as security practitioners, we always want to keep in mind of what we can do better, how we can react to the new attack surface that's out there. So I mentioned multifactor authentication a little bit. This is certainly something that has been one of many layers that we've put on top of passwords.

If you look back, passwords, we think back in the day they were secure. And in fact, when we think about the origin of passwords, they were really in the sixties, used to book time on mainframe computers, and eventually we kind of used it. We used that technology to have some kind of security, some kind of authentication we saw that didn't work. We started adding things like hard tokens, maybe we had push notifications to our phone. And as we look at some of the things that have happened like on the previous slide, the Uber breach, anything of that nature, those additional layers of security have only added to the complexity. In other words, attackers continue to bypass these new technologies. I have a couple of statistics coming up here just to give you an idea. 65% of the organizations that we polled earlier this year says that they think or people in those organizations think that there are authentication, the mechanism that they use with all of those additional layers that they're still not secure.

And at the same time, the amount of complexity continues to go up. Almost half of the organizations we pulled had problems deploying MFA and it was a bad user experience. And we know when somebody has a bad user experience, they're going to find a way around it. We call that MFA bypass where there are ways people inside the organization can bypass traditional multifactor authentication because it's just too hard to use. So a couple more stats that are worth mentioning. I don't have to tell you how many stolen credentials sit on the dark web. I don't think there's a month that goes past that. My Equifax report doesn't come out and showing and shows somewhere my credentials are on the dark web somewhere. Obviously you want to make the right moves to try and mitigate that, but this number continues to grow. Earlier this year, we're over 1.5 billion stolen records on the dark web.

A lot of it has to do with phishing. And phishing is again one of those primary attack vectors. In fact, over 89% of organizations have seen a phishing attack in the past year. Now, keep in mind this is what's being reported. There are still instances where phishing attacks aren't being reported or perhaps they don't even know about it. Indeed, some of these security measures that we put in help, but not completely. So for instance, you get a one-time password pushed to your phone or you have something that comes up on your smartphone that says, will you allow this? We've seen a lot of push fatigue, people that get pushed notifications and after a while they're busy doing something after maybe the 25th push, they're not even looking anymore. They just simply hit okay. That was the basis for the Uber breach earlier a couple months ago, and there was one just this past week.

So we're seeing that some attacks are happening because of push fatigue, and in other cases we're seeing organizations that report credential stuffing attacks, meaning that they are not using push, but the hackers are using a library, trying different credentials, and eventually they get in. So obviously the purpose that we had with MFA originally isn't meeting our goal of stopping these attacks. Now, one of the most alarming things that I've seen out there, and I put this specifically on a slide by themselves, is the fact that when an organization experiences a breach of any sort, we asked our pollsters, what did your organization do after this attack? And 64% of the organizations continue to have the same approach to passwords that they had before the attack. So they always say insanity is doing the same thing again, expecting a different outcome. This is a situation where we believe that organizations don't know or aren't necessarily driven to take that next step and securing themselves in a better way after a breach.

So last bunch of statistics that I want to share with you and then we'll really get into the meat of it is why are people, what are some of the obstacles that people have in deploying traditional MFA? Certainly there are a bunch of reasons. Poor user experience and integration within your stack are way up there. Almost half the people said that that some of the stumbling blocks is in fact a poor user experience and integrating everything. Some have set around cost and some have said just, it's too hard for me to do at this point. I have bigger fish to fry. So while there are reasons that people are not perhaps deploying the best insecurity, there's really good reasons why you should, and that's exactly the purpose of today's webcast. These two numbers I want you to keep in mind the fact that the integration piece, the resources piece, we're really going to dive into that today because there should never be a case where you can't deploy technology because it takes too many resources or the integration aspect is difficult. And that's exactly why both Bravura and HYPR joined together for this call to show you that it doesn't have to be difficult, it doesn't have to take up a lot of resource, and more importantly, it can be a huge benefit to your end customers both from an experience and from a security standpoint. So Ian, with that, I'm going to hand the ball over to you to talk a little bit about some of the silos that you're seeing.

Ian Reay (12:32):

Yeah, thank you very much there, Michael. We've historically always been brought in to bridge the silos that exist in these companies when passwords were considered sufficient. We decoupled that by synchronizing the passwords across the different silos that companies have, such as how their employees authenticate, how their operation staff authenticate, how do people get into dev test labs, how do people authenticate to the network? In the past, having that one good authenticator being a password was acceptable enough, but certainly as then people try to bring MFA scenarios into here. As you can see here, they bolt the each individual area and Boltons has started to add friction across the board here where if your employees authenticate with Okta, leverage Okta verify your operations chosen duo, your developers might be say, focused on the Azure ecosystem. So leveraging Microsoft Authenticator, and again, continuing with this companies making decisions for business related purposes, meet budgets, meet timelines, bring in us the level of security given the problem that they're trying to tackle.

But each time they do this, they're introducing what turns into being silo and their decisions are then having these usability effects on their employees. It's pretty routine that people have these mixtures of apps on their phones in order to handle the various kind hats that they have to wear. And it's friction inducing, it's frustrating. It takes people time to get things set up. When you lose your device, it can take a long time to go through and reset everything. The friction too, the points here, the friction is getting to the point where people, they'll make, they'll circumvent when possible, they'll move into the shadow, so to speak here and introduce other technologies that to get their done but might not necessarily be the best choice for your organization moving forward here. And that's where maybe if you move on to the next slide here, this is rapidly becoming the norm of what we see with companies that they have multiple different approaches for employees to authenticate possibly for valid business reasons, possibly due to mergers, acquisitions or other things.

But again, it brings friction brings complexity, especially people have to work with each other's areas frequently. You see people having to make the best with what they have available to them. So you're seeing a proliferation of departments bringing in traditional pastor managers into play here and people doing what they think is best. But realistically, convenience is dominating many of those decisions. And that continues with say, engineering groups where say, KeyPass is a nice little dirty secret that we in engineering areas have abused significantly here. And it's one where you're making these convenience decisions rarely with thinking about MFA, mostly depending on corporate security boundaries. But as identity becomes more and more of a key thing about how you access your resources, you can't really depend on those security boundaries anymore. You have to focus on how to handle each one of these cases. And the complexity was just exploding. And that's where, as you've introduced here, HYPR and Bravura Security here, trying to work together here to bring a little bit of giving people the tools so they can start working out a bit of a strategy on how do they put the genie back into the bottle, so to speak. How do they let their employees use the infrastructure that they need while not necessarily letting go complete shadow. And so, sorry, I'll toss over to you here, Michael, here now.

Michael Rothschild (17:05):

Yeah. So what we really want to do is give you four or five points that on how you can make this happen. Every part of the technology that we saw before is important, but how do we orchestrate this better? How do we ensure that we're not using passwords on a regular basis, which we know can be defeated? And this gives us point number one, which is eliminate passwords, period. There should be no reason why you have a password. Like I said before, they were built to reserve time on mainframes. So there really is a way today to be able to eliminate any types of passwords or shared secrets. Now in this semi complicated depiction here, the way I log into my computer every morning, I happen to use a Windows-based computer, but whether you use Linux or Apple or something else of that nature, and when I log in the morning, I can authenticate using my phone in the upper left hand corner, I simply press the button, it authenticates with a biometric.

There's a key, a private key that sits on the TPS or secure enclave of my device, and then there's a public key that's stored in the cloud. By giving my biometric information, I'm not passing any type of shared secret or anything. Instead, I simply, it indicates it authenticates with a biometric. Now, the one really important thing about this is eliminating passwords and shared secrets is one less thing to steal. But one of the pitfalls as we mentioned before is are you really getting rid of the password or is that biometric masking a shared secret or a password that happens in the background? So with the polls that I mentioned before with our pollsters, we asked those that had some type of passwordless solution, is it really just masking a password? And we brought in all the information in terms of does it do something in terms of sending an SMS or shared secret on the side or even a password after you authenticate biometrically.

And we found that 65% of those that were using some type of passwordless solution is really just masking a password. So when you're ready to go passwordless, make sure that the technology that you choose is truly getting rid of the password rather than just not showing it to you as the end customer. So that's number one. The other thing that we want to think about is coverage. Now, I mentioned I log into my computer, I use obviously the HYPR application to be able to password get in, but there are a lot of technologies out there that will only allow you to go passwordless. Once you get to the cloud, you log into your SSO, like an Okta, which we log, you log into something like an application like Salesforce or something else. Think about them. Maybe you can make these passwordless, right? But you really want to start the process when you're logging onto your desktop.

So when I log into my desktop, I happen to use Windows, hello for business, but it's Passwordless HYPR sits on top of that. And now you may ask, well, what's the difference about my desktop? And if you think about if you are using a browser ever, you may have cached information that's secret. You may have passwords stored in your key chain or on your browser. You may have files that's sitting locally that all of that stuff you want to protect. So one of the things that we recommend is being able to find a solution that not only deals with your desktop, I'm sorry, not only deals with your cloud-based applications once you're in your desktop, but actually starts at the desktop. We call that desktop to cloud, meaning that anytime you need to authenticate, you want that passwordless solution. At the same time, we've seen many customers that may start with us on taking care of their employee base, which are the first two kind of pictures here from left to right, and then they want to roll out something to their customers, their customers, the amount of account takeovers that they're seeing range in the neighborhood of 22 to 27% of their entire customer base.

Being able to give this to your customers also makes it that much more seamless for the customer. They love that less having to figure out passwords, resets, all that other stuff. Being able to have that complete story from desktop to cloud, from workforce to customer consumer is really important. And I actually did a bit of a test when I first started using, before I went passwordless, I had 23 different business logins every day I used 23 different logins. And when I deployed a passwordless security solution, I have one login, no comments from the peanut gallery. It happens to be my face as the biometric, but that's all I need from desktop to cloud. And that's something that you should look for when you are thinking about a passwordless solution.

Ian Reay (22:25):

I think I second that kind experience that you had because I also, I had a very similar experience. I've been doing password management for 15 years here right now. And I have to admit when I was like, I'm going to take this pastor leap, there was a little bit of anxiety and whatnot as I'm like, can I really do this? And I put the workforce on my laptops, I adopted our reverse. I randomized all the pastors that I had and I took that leap where I'm like, I want to forget every single one of my passwords because if I remember it then it's insecure. The human memory can't remember secure passwords at the level that we need. So we have to embrace them, we need to forget them and then take that leap and can you take that leap? And when I did it, that's when I'm like, it's now painful going back.

I don't want to, it creates the friction in the opposite direction, which is what we want instill in everybody. We want that friction where it's like, I have to use password here right now rather than I pull up my authenticator because of the current frictions that exist here. And that's where as companies realistically need to secure need to get passwordless because people have to forget these password. Any passwords that do remain, they need to be random character passwords be remotely secure. It's beyond our ability. We have to accept that. So don't try to remember, but then also don't store them in a spreadsheet. Don't store them in an office document. Don't store them on a sticky note. And I have family members who when I talk to them about this, they're like, yeah, my password's on a sticky note. And I'm like, there is truth to that after all this time you think it'd be different.

But these are the realistic things that happen day to day when people are doing this. And also there is a real problem here where we've talked to multiple customers, whereas they're trying to introduce the character passwords. How do you make sure that people, that your staff can do this without true anger towards you too, because this is a hard thing for your employees to do if you don't give them a realistic approach that starts on the desktop, takes them into the tools that they need to do in their job and then bring in just in time strategies for gaining access to production resources. How do you connect? Don't know, don't care. I'm connecting. It's easy and making it simple. Similarly, when you're connecting up to maybe less mission critical systems, but still important like third party RFP portals or maybe some confidential information is being shared, your legal group data rooms and other kinds of things where certainly sensitive confidential information being shared.

Your marketing teams with respect to working with third party groups for content being created here, your support teams and services teams providing services to your customers where they might need to log into a network and do these kind of things frequently and provide services. This happens through email, it happens through Im passwords going through this. How many times have our staff been shared VPN credentials over email, plain text. It's just kind of shocking. And we need to be able to get people out of that and get people and give them secure ways of sharing. And then also just making sure that jokingly that your dog's name is never a part of it here. Those decisions that people make when they're choosing these things, they're not viable. Choose random. And this also applies to say like passphrases as well. People have a very restricted vocabulary. Don't think a passphrase protects you because chances are most people will choose a color and a car and a date or something and a pass.

It might look artificially long, but it's actually really easy to break. And that way when you get people, the tools start empower in lifecycle. That is so critical to think through. And if you have, so when people join up to your company, how do you get them in password list on day one, stop sending a password. It's common that people send an email that has your username and a password in it on day one to get going. We need to change our thinking on that and send them the passwordless authentication link to register so that on minute one, as you get going, you're using good authentication. And that way when you join the organization, you have that good experience as you break down the cybers, as you remove and remove unnecessary complexity, standardize on that one good approach across the different organizational limits. You don't have to compromise that good authenticator by making them register secondary ones when they move, when they get promoted, when they get transferred into another department, you want to make sure that the mover scenario is as frictionless as possible because any friction there just means people will circumvent it or make a compromise decision to hit budget timeline decisions rather than actually properly securing your environment.

And then if you have a lot of silos, if you have many authenticators, if you have many of these approaches, chances are your lever is going to be a challenge because probably you don't have a central point where you can terminate people's access quickly and easily, especially the remote access, being able to terminate that quickly to your IDPs, to your enterprise password management solution, being able to quickly change that password to kick people out of things. If there is passwords under the covers for certain legacy environments, it's critical that you think through those levers and the more silos you have, harder this gets. And realistically, a lot of people say, well, I can kill people's access, let's say 12 hours common SLA being used. But if you're honest about that with how people are logging into data rooms, how people are logging to service your customers, how people are logging into marketing material and when those things are decentralized and not under your central IDP approaches, realistically that access termination could take days, weeks, maybe even months in some cases. And so you need to be really honest and think through each one of the silos that really matter, making sure you have this modeled out here, so make it easy to join properly, make it easy to move. Authentication is decoupled here that people can adopt easily. And when people leave, when you have that one good approach, it makes it really easy to have that confidence of access being killed.

Michael Rothschild (29:53):

Yeah, it amazed me. There has been one bank that I've worked with in the past, and to your point, they actually gave a metric that on any given day they have 150 people either joining moving in their job or are being off boarded. So very relevant because as we know, these things change and if you have all of these different systems you have to deal with, something's going to fall through the cracks. So really good data there.

Ian Reay (30:26):

150 opportunities for an honest human mistake to happen. It creates the orphans that creates the chink in the armor.

Michael Rothschild (30:34):

That's right. That's right. One of the things that we're asked very frequently is, well, how do you onboard people? We made the decision to go, it's got to take a long time to make that happen. And I did want to give one example, the Fortune 500 companies specifically involved in manufacturing. This was earlier this year where they had about 60,000 users that they wanted to onboard. It happened to have been a PingFederate and Windows environment, and this was a particular interesting phenomenon. They did want to move people over, but they didn't want to make a mandate by this date. You have to do that. And one of the things that they did was they actually had a kiosk set up with anybody that was nervous or trepidatious as you described earlier, about how do I become passwordless? So they did have this open support bar, and you can see here that they actually turned it live on May 29th.

They started enforcing it towards the end of July, but from the end of May, essentially June through the beginning of October, they brought up 60,000 users very, very quickly. Of course they did the right thing in terms of having that open bar, having that kiosk, being able to have events to get the laggards or the people that were trepidatious in. But this isn't a process that necessarily has to take very long in terms of bringing people online. And I think Ian, you ly mentioned earlier that even we're in the business, right? And you were a little trepidatious at first, but it really becomes easier. And I love the quote of another customer, not specifically this one that we had. This person was a senior level person, senior director or vp, and he was very nervous about going and doing this, and he kept on ducking out, not doing it. When we finally got him to make the change, he said, I'm so embarrassed it took me longer to brush my teeth this morning than to actually get this done. So I love that quote because it's one of those things that you think that's hard and that's not, yeah. Do you want to talk a little bit about how HYPR and Bravura work together to help customers?

Ian Reay (33:08):

Yeah, for sure. So what we've done is our Vera past and privilege and identity have been historical product like products we've offered for a long time. The market where Reverb Pass is being used to help people change their passwords, to basically bridge the silos by having consistent passwords, a bit more realistic for people to remember. Our goal here is to basically help people change passwords but hopefully not, and only use them in an emergency. Helping people to get back into legacy systems, river privileges a just in time strategy that allows people to gain access to mission critical production, critical systems here using various different approaches. River identity is what can build up your company. Provisioning, birthright access, allowing people to join, move and leave with an automation centric approach, bridging the different silos, bringing standardization to them. And in all those cases, being able to authenticate really strongly to those products is quite key to this.

Being able to have confidence that these services are secure because they're governing your passwords, they're governing your infrastructure. I jokingly like to say that river privilege, the keys, the castle and river identity can just disassemble your castle. And so it's really important we have the confidence of who's gaining access. And then we've also introduced recently safe, which is a way to store these decentralized credentials I was talking about for your legal team, access to data rooms, your marketing team, third party services for your IT team with say hard drive encryption, passwords and stuff, giving people ways to store this stuff well, but the common weakness of the pasture managers is that they tend to have weak and optional MFA and that creates honey and something.

One the key risks here is how that's where with partnership introduced power, we can bring authentication through all these products to basically decouple the authentication out of them, give true good passwordless experiences here you can really depend on get people into it once, then continue to expand it through your ecosystem. And so say my personal experience, log into my laptop, passwordless, log to and deliver privilege on a daily basis. Passwordless, be able to then connect up to the production resources or whatever resources I need to get my day done and get angry if I never need to use a password. Because so often now I can just forget them all. Everything is random. And that's where now I can have the confidence and sit back and go, yeah, everything is random. Good luck trying to break into some of these things. I kind of view my pastor's encryption keys.

Just keep them nice, keep them random, keep them long, forget them immediately. Never try to remember them. And that's where it's trying to introduce that experience and that confidence people can have as they do that cultural change. Because the executive that you were talking about, they had to take that cultural change, that leap to experience it. And that's also where it takes away the time you need to get some of your champions into the program here first. You actually don't want to do this immediately just a week to introduce things because you want to build up the champions want to build up the people who can coach and guide people, and how do you introduce this to organizations smoothly? Well, because some people are going to just leap on this and other people are going to be a little concerned. That's human culture, all a little different here. And just finding those paths to coach and guide through here. And so that's a little bit of background of how stuff this partnership was developed, at least from my perspective.

Michael Rothschild (37:21):

Yeah, absolutely. So I guess one of the questions that has come up already, and certainly we are taking questions at this point, so please if you haven't already put 'em in, do so. But Ian, just to kind of dovetail off of the message of this solution that we have, how does it work with HYPR inside Bravura, HYPR alongside Bravura? How does that work?

Ian Reay (37:53):

Yeah, so we built native and direct integrations to the HYPR service where we have a flexible series of authentication options that we can support. And one-off powered by HYPR is now our default approach going forward in the releases that we just released here over the last few weeks here. And the goal here is to make passwordless experiences now the default that people can trust and depend on here. And so it's leveraging your best of practices, APIs using authentication here so that people can have the level of assurance and standard compliance necessary to make sure that this is an infrastructure that can build their programs on going forward.

Michael Rothschild (38:48):

And I think what you mentioned is actually a really good point, the compliance aspect of it. If we were talking a year ago, I think nobody or very few people would've thought, what is phishing resistant MFA? What does that mean? And today to my 90-year-old barber knows what phishing resistant is. So much has changed to the extent that I think it's cs, the Federal Trade Commission, O-M-B-G-D-P-R rules, zero trust, they're all talking about passwordless now they're all talking about phishing resistant. So the whole notion of a compliance related aspect to it, and one of the populations that you can get on board in terms of a champion truly is compliance and risk mitigation

Ian Reay (39:41):

100%. And that's where also one thing I used is I was personally quite shocked when I saw the maturity of the attack frameworks that have come out in the last year or two where how quick and how easy it's to launch these attacks and that basically if it's based on what you type in, we've supported say tokens for 15 years or more as a best practice. But if it's something that you can type in, it's now something that people can fish and that's causing most organizations to review their practices in light of almost like the earthquake kind of change in the market here in the last couple of years and the explosion of these attacks at scale. And that's where having giving people a relatively easy button to meet those compliance checks with confidence but also with relative ease, like how easy it's to turn this stuff on. And that's where again, the user experience is so critical and that's where having a good quick user experience of onboarding simplicity and then authenticating the simplicity gives remove the excuses to circumvent because you end up not wanting to, it's simply the best way and that's that uncompromising experience you want to introduce to your staff and make them enjoy this rather than grudgingly pull out their authenticator token and type that pin in yet again.

Michael Rothschild (41:16):

That's right, that's right. Okay. So it looks like this question is for you Ian, as it relates directly to password managers. Question is what are the problems with co-mingling personal and professional password managers?

Ian Reay (41:32):

Yeah, so that's a key with shadow it. A lot of people have brought in how many cases where you see people using their personal password managers to store enterprise and that is relative norm here. It's probably better than a spreadsheet until when people leave the organization because when people leave the organization, they're taking those secrets with them and that can be both friction inducing, embarrassing, and also risk business continuity. When people leave an organization for multiple reasons, then you realize that you don't have the access that you need and that's where it's important to establish that good separation because you want people's personal lives to be secure as well, and you don't want your employees being blackmailed or extorted or anything due to risk from their personal life that would affect you. So be secure, personal, but have a dedicated enterprise side of it here as well so that when you leave the enterprise, the decentralized passwords can transfer to a manager or another person of responsibility to review but not violate your personal privacy.

It's super important not to have your banking passwords in there and a lot of companies also really do not want you to do that because if a life event happens where your spouse might need access to these secrets, companies don't want to have to broker this and potentially really risk violating your personal privacy and create all these risks. So a good clean separation for your personal life and your professional life is so important so that when these life events happen, that it happens cleanly and that people's privacy, everybody knows the rules when they goes separately. It shouldn't be a surprise about how your privacy is going to be respected. It should be known on day one when you get onboarded, how your privacy be respected. I think another key thing, think about joining reliever with the co-mingling and personal devices and stuff. It's really amplified the complexity and blurred lines, so it's so important to get that separation.

Michael Rothschild (43:51):

Yeah, absolutely. And I would say arguably on the business side of things, you want to go passwordless as much as possible. Certainly on the consumer side we've seen PA keys come at and other things like that. So it is becoming consumerized, so become as passwordless as possible and where you have to bite the bullet, obviously there is something to do. There is a follow-up question, Ian on this. Does Bravura ensure compliance of this password manager segregation?

Ian Reay (44:22):

So in short, yes, with a lot of the cybersecurity insurance elements, a lot of things are to prove governance of passwords and that's where when you have a nice clean separation with business related passwords and personal passwords with a way to get all your employees into one good area, so many of our customers, they've adopted multiple password managers because their lines of business made business a small business decision for their shortterm needs. It creates, it becomes incredibly hard to certify and understand just truly what you have, which teams are doing good, they're using good random passwords, which teams are reusing their passwords, might need some coaching and guidance which teams don't have anything in. There might be an indicator that they're using something else still and you might need to coach them and poke them and prod 'em a little bit. But with baf you can establish that as a baseline and then also promote the credentials that need an additional level of control privilege for credential rotational and stronger password policies and never disclosing them out to people for a lot of those legacy systems and having one good authentication approach that you use to get onto your laptop.

Getting into these tools helps with just making sure that the whole ecosystem is meeting those security assurances that you need and then make your audits a lot easier. Just show the auditors that and then your auditors might even go, that's actually something I might hopefully they're currently regards to.

Michael Rothschild (46:04):

Okay, cool. There is a question that's probably a little bit more for me, but Ian, please feel free to chime in as well. How do you deal with an employee getting a new phone? How do you do that reset? So I'm assuming this is about doing the authentication piece, whether it's a face or a fingerprint or something else. And I'll tell you a quick funny story. We actually had an end customer that was skiing and they met with some other immovable object and the phone broke and what ended up happening was that phone was not usable anymore. This person went to get another phone. And the beauty behind this is that the authentication is not specific to the device. One of the really nice things about it is, and there's a few different ways to do it, but perhaps the easiest way is for an administrator to send a new magic link, which is for you to sign up, whether you do it through Bravura or through HYPR immediately. So this guy was literally got to the bottom of the hill. I don't know why he was working while he was skiing, but by the time he got to the bottom of the hill after he met with this move bull object that broke his phone, he had a new magic link and he was going right away. So the identity is not specific to the phone, it's just the private key that is stored on the phone. So that's something that's easy to do.

Ian Reay (47:34):

Yeah, 100% on that. And that's where too, integrating it into your employee joiner and your lifecycle part of this, it becomes so much easier because if you have siloed authenticators, this is a painful process when you've destroyed your phone and having to go in and ask each different application to clear your MFA and to allow you to get back in with here. This can be a simple thing where you can also focus on minimizing help desk costs and try to avoid them whenever possible through secondary as well here. So there's multiple paths here.

Michael Rothschild (48:09):

Yeah, absolutely. Another question here is regarding onboarding, I guess how do you get a new joiner to use Passwordless as the first thing without involving communication to a personal channel? Like a personal email, the security of which you can't be sure of.

Ian Reay (48:29):

So that's where you'll have to integrate it into how you're verifying the identity of people when they're coming in on day one. Every company is going to have some different decisions on there. And it's also going to depend on whether you're of remote centric company hybrid or in the office scenario. That's where there's certainly a lot of very interesting work being done in identity proofing to help with that joiner case here. A lot of companies operate with basically, say for example, send an onboarding email to the person's manager who is going to be onboarding them. There's no password in there. It's a one-time use registration link. When that person gets onto a web conferencing and starts bringing people in on day one, getting them set up, if you're not remote situation, it can be shared with, that link can be shared with that person. Once you have confidence that you're talking to the right person here, whatever that format is, it's up to your business practices to ultimately to find out here and then start guiding them through the sequences here. But also it's really beneficial that that way the person who's doing the onboarding never has to know what this person's password is. They don't have to have this email sitting in their email inbox for five or 10 days with a password that is potentially in the audit logs now. And then you can do this a lot cleaner, a lot more efficiently. It's not an email logs.

And then it can also be a thing that you pushculturally, never ever put passwords in emails and IM files use better approaches for it that we can respectively provide and it helps on day one, don't policy. It kind of waters it down, so to speak. Experience involves exception to the best practices.

Michael Rothschild (50:24):

Yeah, absolutely. Well, it's been really great. At the end of time there is one question which Chris has asked, it's a little bit more nuanced and technical. So Chris, we will follow up with you after the call. There are a couple of qualifying questions before I answer this one or Ian answers this one. So we'll follow up with you, Chris, after that. Ian, as always, it's a pleasure to have you on these calls. I certainly learned a lot and I'm sure the people viewing this learned a lot and we appreciate the partnership and if anybody should have any questions, we have lots of follow-up information, we can do demos. We are all set to go as a joint solution, so please reach out to myself, reach out to Chris or to your local rep and we'll be happy to help you some more. So happy holidays everyone. Thank you Ian, and have a good rest of the day.

Ian Reay (51:17):

Thank you.