IAM Pulse Episode 6: Introducing BIO-Key MobileAuth
Traditional authentication methods are inconvenient, open to cyberattacks, expensive, and still can't verify "you are who you say you are". It's time for a different way to authenticate, but recent breaches show that passwords, OTPs, and hardware tokens are no longer reliable. Biometrics have become a preferred option for passwordless, but not all biometrics are created equal, so in this episode of IAM Pulse, we talk about BIO-key MobileAuth and how Palm Positive aims to change how authentication should be.
Listen to the podcast:
Transcript:
William Papa:
You're listening to IAM Pulse a podcast, discussing all things, identity access management from defending against cyber attacks and to enhancing our overall cyber security strategy. This podcast is brought to you by BIO-key international and innovative provider of flexible, secure access management and biometric identity solutions. We're sitting down to talk about the impact of identity access management makes on you and your business.
William Papa:
Welcome back to another episode of IAM pulse. I'm your host William Papa. And today I'm joined by Kim Johnson, VP of product at bio key. And one of your usual hosts on the show today, she's actually joining us to talk about biometrics, how they aren't all created equal and highlight a different way to authenticate with BIO-key MobileAuth. Welcome to the show, Kim. And how does it feel to be on the other side of the table this week?
Kimberly Johnson:
It's been a while we'll then plenty of these podcasts, usually I get to be in your seat. So excited to be here though, and excited to be on this side.
William Papa:
Yeah. Admittedly, it's a weird being on this side instead of in the editing room. So for sure. Yeah. Different kind of environment, but besides the point let's get the show started. So today we're talking about biometrics and the evolution of multi-factor authentication. So the problem is, as you put it, often times that traditional MFA's failing us authentication is about answering the question. Are you who you say you are? And so I wanted to ask you, Kim, what are the problems with traditional MFA? Like how are they failing us?
Kimberly Johnson:
Yeah, that's a great question. And it's funny, right? I've, I've been at this over a decade now and seeing multifactor would actually started as two factor authentication back in the day evolve over the years when it first came out, they actually, some of the financial institutions that first had to require it, put in things like a username, password and knowledge question. And then very quickly the regulations changed to say, well, that's not actually two factor. That's still volts, something that, you know. So, you know, we've seen it evolve over the years. We've seen different tactics come and go. And I think the main thing with traditional MFA as we call it things like one time passwords, hardware, tokens you know, SMS, OTPs there's a couple of ways that I'd say they're quote unquote, failing us.
Kimberly Johnson:
First of all, they're inconvenient. I don't know about you, but we've talked about this right? Where the OTP panic mode, right. I, I watched the clock tick down as I try to enter in my OTP and find it fast enough. But they're cumbersome. They interrupt customers and employees on day to day tasks. It's hard to register some of these things. You have to constantly find a dig for your hardware token at the bottom of your purse, if you're me or yeah. You know, it's just, it's not convenient. And I think, you know, we've, we've looked at it too. There was a study out there from New York times that basically said it's an average of 25 minutes to return to a task after somebody has disrupted, you know? Yeah. If you think about, I'm trying to gain access, especially a customer, I'm trying to gain access to like my online banking application.
Kimberly Johnson:
Now I'm disrupted, I'm not remembering what I'm doing. I'm trying to find something especially passwords. It's just, it's not a convenient thing. The other point I'll make on this is that they're vulnerable to attack. So a lot of the reasons things have evolved over the years is because it's, you know, hackers, it's their day-to-day job to make sure they can break in and break down the security barriers that we put up. Passwords by far still are the weakest link. You know, the Verizon data investigations breach report 81% of the breaches are still from stolen or weak passwords. And then the crazy thing is that the traditional, the more widely adopted one time passcode that I think maybe five, six years ago, and even up to today are probably the main use, you know, are mainly used for authentication. Now we're seeing those intercepted, so, you know, you've covered it as well on some of our posts, but $16 is all it took for a hacker to gain control of all SMS messages to this one individual's phone and start sending her pictures of her WhatsApp and I believe Tinder account, which would be pretty, pretty scary.
Kimberly Johnson:
Yeah. Yeah. So you know, I think it's, it's part of that. And then honestly they can be shared between people. So as much as we're all about, you know, moving to the zero trust and knowing who you say you are, as you pointed out, organizations are really trusting, okay, well the hardware tokens present or the mobile phone is present they still don't really know that the person is present. Who's trying to gain access. Oh
William Papa:
Yeah, no, a hundred percent agree. I've had cases where, you know, I've had some friends use like some of my accounts and like Google, for example requires sometimes an OTP. If we're using like a third-party app, like Photoshop or any Adobe product. And they would text me saying, Hey, what's your what's the six digit OTP and I'd have to text them, but then, you know, it's weird. Cause like I'm just giving that information out and then, but that time limit that you mentioned too with it it's that it is pretty short compared to, you know it's not timeless. And so like by the time that like in, in instances where you get a text, it might be too late maybe because a server related issue don't have enough service. So I I'll be waiting five minutes to just receive one text.
William Papa:
And by that time I type it in, it says, oh, we sent you a new one and then, you know, it keeps repeating it's that endless cycle. So yeah, I see a lot of these issues with traditional MFA and it sucks right now because that's the main thing that people are using today too. It's like one OTP OTPs, like run a lot of the traditional MFA that we see everywhere on common apps that a lot of people have. So moving on. So like what about biometrics, right? Isn't that a good alternative to the methods that you just mentioned?
Kimberly Johnson:
Yeah. So that's a great question. Right. good news for bio key and other providers of biometrics is finally, they are becoming more widely adopted. If you look back to when, you know, apple introduced biometrics as methods on the iPhone that really started to kick it off for us as users to say, okay, I'm fine touching something or putting my fingerprint or using my face facial recognition to log in. But the part that's kind of troublesome is they're not all created equal right. So something like a user controlled device-based biometric as we call it which are some of these phone-based methods, there's something that could be delegated by the owner of the device. So you mentioned, you know, your, your fellow, you know, your friends and things, and obviously you were just in school. Recently there's nothing stopping you from enrolling somebody else's fingerprint on your phone and allowing that to then gain access to things.
Kimberly Johnson:
Yeah. Yeah. So the, the enterprise that originally said, okay, well, you're going to be the one logging in, and this is Will's fingerprint when it's stored on a device like that, it really doesn't have it relinquishes the control, I guess, for the enterprise. So you can delegate it to somebody else. You can enroll somebody else. So there's been a lot of challenges there with, yes, it's convenient, but are you using the most? They have biometric is the highest level of integrity in terms of finding it to the identity. The other thing we've seen too, is that there's an accuracy issue. So things like the phone-based methods are about one in 50,000 or one in 1 million, the solution we'll talk about and just a little bit is one in 20 million. So it's just, yeah, it's not even close to as accurate.
Kimberly Johnson:
So again, trying to answer this problem that everybody's trying to answer is, are you who you say you are all biometrics aren't created equal, we're getting closer because it is something you are right to log in, but it's something that is, is a challenge. And then the last piece I'd say about that too, is it's only available on that device. So if I use, let's say my iPhone to gain access to my banking application, and then I'm on a different device altogether, I don't have access to that fingerprint anymore. It's stored on the device I used to have, for example, I had to go through either re enrollment or find a different way to authenticate. So it's, it's good that biometrics are being adopted, but we do have to be careful that they are not all created equal. So and then from there, I'd say what we're seeing and what we're really going after is what's called identity bound biometrics. And that really looks to be the solution in the better category of biometrics that enterprises should be looking for that are still just as convenient.
William Papa:
Oh, okay. I see. So identity bound, biometrics, right. Again, it goes along the lines of confirming who you say you are. So Kim, when you bring up identity about biometrics or as we term it IDB as this new category compared to general biometrics, you know, when I first heard it I know certainly a lot of people when it was introduced to them, they're going to IBB will make people ask what is that? So can you expand on identity bound biometrics as it's new to a lot of our listeners and users of the landscape?
Kimberly Johnson:
Yeah. Yeah, sure. And that was part of the intention, right? Is we want people asking kind of what is that you know, if you look out there, a lot of other providers are like, we give biometrics, it's like, right. But what kind? And I think it's important to start asking that question. So first of all, biometrics confidentiality secrecy with biometrics is really not the concern. A lot of people get hung up on that, right? Like, oh, if you see my fingerprint or steal it, you can use it. Or my face, if that was the case, then everybody's face in a Facebook photo would be hacked. Right? So in terms of biometrics, what you need to look for are really four different things. So it's integrity, availability, security, and accuracy. When it comes to identity bound biometrics, it really gives you the highest levels of all four of those.
Kimberly Johnson:
So for integrity, which is probably the most important, we kind of touched upon this before, right. Is the binding of the biometric to the identity permanently so that once somebody has enrolled let's say their fingerprint or their Palm scan or their voice, that, that digital identity is bound now to that biometric and then users, the only one that can use it to access their accounts. So you, for example, can't then enroll your friend's fingerprint to access the same thing. It's definitely something that's not stored on the device and something that you can actually check in a more centralized way to say, okay, is this the same fingerprint that we originally delegated to that digital identity? That's extremely important for enterprise level security and in all ways the availability part, right, as I said, it's from any device. So if the user controlled device-based biometric, the scanner for example, is on my iPhone.
Kimberly Johnson:
It is always on my iPhone. And it is where the biometric lives in brief. That means that when I get a different device or try to use a different device, that is not an option for me anymore. In other words, the biometric isn't going to be available on other devices, whereas identity bound biometrics. It is a security. This goes for biometrics overall. You can't forget them. You can't have them fish stolen, forged. Like I said, a lot of people are like, oh, well, if I took a picture of your fingerprint it doesn't work that way. Right? It's not, first of all, it's templates, it's encrypted. You're not going to be able to just take a picture of fingerprint, hold it up to something or put it on a scanner. And get in the other piece of this is we offer liveliness detection, detections that you actually have to have a living hand or more fingerprint on the other side of it.
Kimberly Johnson:
You know, I always joke about the, there's all these movies out there with crazy scenes of eyeballs and fingers and things. Yeah, I mean, you know, demolition man, one of my favorite movies but that's just not how this technology works. You can't make a fake or fake Palm. You can't, you know, have something that isn't alive on the other side. So there's a lot there that's built in to make sure it's as secure as possible. And then accuracy, I think we talked about that, right? So something like a Palm scan is 400 times more accurate than any device-based biometric. And again, that really matters when I'm trying to make sure will you are who you say you are. Right. So, yeah,
William Papa:
Yeah. Wanted to, especially with the security part too. I know that's, for us, it's been one of our biggest messages like our highly ever messaging is that you can't really forget biometrics, you know, like you can't forget your fingerprint, you know, and then on the off chance your like hand is cut off or something. I think that's one of the very rare cases. But at that point you have a bigger issue than, you know, authentication. Right. but again, also, like I think this helps really go into, I think when you mentioned the movies, I think about the spy related movies, how someone was holding me like a wineglass. And then they got a piece of tape, taped it over, like someone's like fingerprint on the wine glass and then use that to log in. And that's not, that's not true to reality. You know, again, you need a liveliness factor and it's been tested and tested again. You really need to have an actual fingerprint that makes it, you know, yours. And it has to be an actual finger, not just some big piece of tape or a fake mold or whatever,
Kimberly Johnson:
And it's good for Hollywood. Right. I think that's the other point I point out is that's a great movie scene. It makes for a good thing. If a hacker is really trying to get into something or breach something or an enterprise or whatever it may be, they're not going to go after the biometric templates. You know, they're going to go after the backend systems or servers or things that are vulnerable. I think it's really important to point out. We've seen some major hacks and attacks coming out in the news and they've increased, you know, by X percentage. I forget the percentage right now, but over last year or the pandemic, you don't see biometrics is the cost. And there's a reason for that. They're, they're not going to go to the extent of taking someone kidnapping that, you know, again makes for a great Tom cruise movie maybe, but it doesn't, it doesn't mean that that's how hackers are going about
William Papa:
It. Exactly. Yeah. So then let's talk about BIO-key MobileAuth. So it's a new authentication method that offers a different way to authenticate, but there's odd definitely much more to explain than just that. So can you tell me more about the authentication solution that MobileAuth has?
Kimberly Johnson:
Sure. Yeah. Yeah. And so this was, you know, a unique podcast. We usually don't do product centric ones but thought it was important because it does solve those traditional MFA problems and challenges and the challenges with the device-based biometrics we talked about. So BIO-key mobile auth with Palm positive. It uses a simple Palm scan very easy to use from any camera equipped mobile device. And you can essentially scan your pump that can be used for multifactor authentication or even passwordless workflows so that somebody can enter usernames, scan their prom, no password required. The nice part about that is all the benefits I just talked about for identity bound biometrics or IBB is present because that is what that Palm scan is offering. So it gives a super high level of integrity, availability, security, and accuracy. And again, that's available on any of those devices, as long as the camera is provided.
Kimberly Johnson:
So it's something that is very unique in the market. I have not seen any type of authentication that comes close to offering that level of proving you are who you say you are, as well as it being very easy to use. I was joking. I did a webinar recently on it and when I demo it, people are like, is that fake? Because it's just so quick, right? It's so easy to do that almost anybody can use it. So I'll highlight, you know, there's a free trial on our site. I really encourage anybody listening in to go get a try. They can set up an account. It requires our, our platform portal guard. But just see how easy this is to authenticate. And like I said, for somebody who's been in this for over a decade is exciting because for once we have an authentication method that doesn't sacrifice the convenience component of it, but is just that much more secure. And like I said, accurate and integrity and everything else that it has to offer.
William Papa:
Oh yeah, no, a hundred percent. And it's good that there's a free trial. Anyone can get us out the free trial on our website. So Kim, you brought up MobileAuth a clearly solves issues that traditional MFA has and can be used by anyone. I think you mentioned before, too, that it can solve the case. We saw on the news that we heard about a victim's information is compromised off her phone for only $16, which is such a minimal amount, you know, like imagine just going to the mall, buying like some, you know, some food, a little shopping here and there, and that same amount is going to get you access to someone's phone, get you into like their Tinder account, their SMS OTPs, et cetera. Right. It's a very scary, minimal amount. You know, you would expect a lot of these things to be really expensive, but you know, $16, you can get just a $20 bill from your ATM and get some extra change with it too. Yeah, it's a very scary reality that that has happened. So while mobile also solves these challenges, where are the, where, what are the uses that MobileAuth would work well in? Especially concerning like IBB, for example.
Kimberly Johnson:
Yeah. Yeah. And I think that's a good point, right? The, the barrier to entry for a hacker to get into what's the most common authentication method method, I think SMS OTPs so minimal. And I can tell you in that article, it was crazy. Cause like starting to receive pictures of your account, not from you is it's pretty scary and that's, that's a bad day. It's probably worth a lot more than 16 bucks to Olin. But yeah, no, that's a good question. So from mobile OS and from Palm scanning from a mobile device, because it doesn't require any other hardware device it's, again, something that's camera equipped, mobile phone, or, you know, laptop, et cetera. It's a great solution for customer I am or customer identity and access management. So we see things like banking online banking, right? So we'll, I'm sure you have a banking app or a banking line, right.
Kimberly Johnson:
Actually some banks now you don't even have a branch to go into other ones. And so this is an excellent way to authenticate you as an online banking customer. So this is something the bank would actually enforce for you as their customer to log in. And then we've seen it also with students. So students seen some cases where I'm sure you never did this, although, you know, I call it out. But the exams, you know, how do you prove that will, is the person taking your final exams, right? Yeah, no making sure that's true. And that you really are, who you say you are, especially in that case and it determines you graduating and your grade you know, was very important to be accurate. And again, that high level of integrity. So the customer I am solutions and be able to authenticate people external to your organization is very important with MobileAuth
William Papa:
Oh yeah, no, I want to reiterate on that student related issue. I'm a recent graduate. So believe me during the pandemic with a lot of professors, not requiring webcams to be on during an examine or exams could be asynchronous. A lot of students can just, you know, there could be three students in one room, you know, I'll do an exam at the same time, you know, cheating on each other. It's a very, it's a very common thing that happens, especially with the pandemic. And you know, a lot of students really didn't like care and it wasn't in person anymore. And so, and with the online banking admittedly, I rarely go to, you know, my bank branch, like in person, I just use the mobile app when I can transitioning away from like using like cash in hand, just going into everything digital. It makes it a lot easier just to go into all my banking, using things like my biometrics, I know from the past I used like touch ID when that was available and now face ID and now with homes getting, it definitely would be a bigger step to security wise and also I think a lot easier now than face ID. So let's move forward to what are, what are other what are the other cases that MobileAuth has?
Kimberly Johnson:
Yeah. Yeah. So yeah, that's a great point. And that, so the other thing that we've seen is remote access, right. If anything, the pandemic did was move everybody to remote. And now we're seeing, as you've probably seen the news too, this isn't going away, right. We're actually, some people I saw recent articles, some people are willing to actually take pay cuts to be able to stay remote. Just cause it's, it's, they've gotten used to it. It's more convenient. But that's a bigger challenge where, okay, how do you prove somebody is who they say they are, if they're not in the building and important functions like HR or other admin accounts, even those are things that you want to make sure you can really know the person is who they are when they're logging in. So remote access using it for multifactor, for VPN access, a lot of those people access through that are all very, very important, but again, this identity bound biometrics in a simple Palm scan, you know, for sure that, you know, will you're the one accessing the HR system from your home office?
Kimberly Johnson:
Yeah.
William Papa:
Yeah. How to percent agree. I've read the article about that too. Actually. it's surprising, right? That like, you know, 30,000, like I think someone was offered $30,000 to go in the office and they S they rejected the offer just to just to stay at home. Definitely a community related issue too. But yeah, w what we've learned from remote access recently, especially with the start of the pandemic back in March, 2020, is that hackers now have a lot of gateway entries to, to you know, basically access, you know, and please like compromised data. So you have
Kimberly Johnson:
Don't think for hackers was a field. I mean, he imagined hacker sitting there going wait, everybody's going to be online from their own home networks, but they don't secure field day. Like they had probably like Christmas,
William Papa:
Right? It's like, it's like the three pig story with the big, bad Wolf. It's like, instead of, you know, one big brick house it's 20 like straw houses, you know, it's just like and it's really important to, yeah. Especially with like, you know, everyone being remote too. It's like, you really can't tell again, who is someone who they say they are you could have, like one of like one of my friends going to came in into this meeting instead of me. And we wouldn't know until we started recording that that was them. So that's a very big thing. And, and that's a very big thing in terms of remote access overall, you know, it's not just certain scenarios like, like these, like this is a very big thing that it's going to be. And as you said, I think for a very long time even up to forever. Yeah.
Kimberly Johnson:
Yeah. And I would say, and then the other thing that's you know, kind of going along the use cases too, that the field did for hackers is like passwords, right? The thing that amazes me is we still talked about passwords. We still talk about having passwords. We survey companies and they still are using them constantly. When people went remote, that was a field day, as we said for hackers, because anybody using a password was very vulnerable. And so now, you know, we're seeing constantly this idea of password less and removing passwords and eliminating passwords. Now there's a whole probably podcast we could do on password list and whether or not that's achievable and when, and, and everything else. But the main way to do password lists and start removing that very vulnerable and probably weakest link in security is through having something that you are, which is biometrics.
Kimberly Johnson:
Right. and so that's another use case. I think, where MobileAuth is very well suited for, you know, a simple Palm scan, as they mentioned, plus a username and your, into the account removes that password as the weakest link altogether. So I've been to, I don't know how many cybersecurity conferences at this point, every single one has had a session on depths of the password. And so maybe, maybe I'm hoping that in the next few years, we stop having that conversation say, you know, yay. We finally got rid of them, but we'll have
William Papa:
To see, oh yeah. That's definitely going to be a very, very long time. People rely on passwords. And it's one of those like UN, like it's an unnecessary evil because you know, everyone are, are unnecessary, evil, sorry. Cause everyone's going to still use them. There was like there's this story I had where like a previous coworker of mine wasn't really securing their passwords. It was like of the simplest passwords out there, you know, anyone could have guessed it. And there's this like feature on newer browsers basically like Google Chrome, Microsoft edge Firefox, basically when you store your password on there, easier access, right. Easier like, you know, passwords already in sign-in. It said that their cop, all their passwords are compromised online. People are able to find them. And you know, there was a big shock.
William Papa:
It was a big, like like a, it's like a big shock to know like, oh, all my passwords are online, but you know, when you really take a step back, it's like, well it's, cause I didn't really do anything with it. And eventually whether it was a difficult password or an easy one, eventually hackers will get to the point where harder passwords become the easier ones, you know, no matter how many random characters, asterix, exclamation points to add, it's just going to make the process. It's just, you're delaying the you're delaying the inevitable. Right. So I'm going past with this right now is such a very big thing.
Kimberly Johnson:
Yeah. It's I saw a recent video. I was, it was on social media actually, where they're saying, oh, what's your, what's your password? And the person's like, well, it's my daughter's birthday. And the name of my pet. Right. And so they start having a conversation with the person and they're like, oh, so what's your daughter's name? When was she born? Oh, okay. Do you have any dogs or cats or whatever, what's their name? And within about two minutes they had combined enough to get the password. You know, it's funny to listen to how we remember them, what we used to remember them is public availability, publicly available information. And then there's a report that comes out every year of the top passwords that are used and like inevitably password one, two, three, four pound or whatever is always, always the same passwords it's top of mind.
Kimberly Johnson:
So I think there's, you know, I'm hoping passwordless we'll solve that. I think there's been a lot of push in the industry. But biometrics is a way to get to that password list state and make sure again, that you fixed the type of plyometric that gives the highest level of that integrity that's important. And then I think, you know, use case slides, the last one I'd highlight is zero trust. So talk about another buzzword. Another topic that's become extremely hot in the industry is zero trust in implementing what's called the zero trust architecture. And so that's all about you don't, you know, never trust, always verify type of mentality that there's no perimeter, right. We always used to put the castle in the middle and the moat around insecurity, no concept of that whatsoever, even more so now that we're all remote.
Kimberly Johnson:
And it requires a hundred percent of multi-factor authentication hundred percent of the time and on a continuous basis. Well, you, and I know if it goes back to that inconvenience issue of not being adopted by users and being inconvenient and hard to then a users ourselves we'll find a workaround and B we won't adopt it. So getting to that a hundred percent is going to be next to impossible. Right. It's very hard to get adoption of multifactor if it's difficult to use. And then talk about zero trust. If, how do you trust OTP? How do you trust just a hardware token? You better off knowing for sure the person is who they say they are, and that you're actually trusting the individual versus let's say a device or a one-time passcode. So zero trust, I would say is the other use case I'd highlight that MobileAuth with the Palm positive scanning is definitely well-suited for as well.
William Papa:
Right? Right. Especially it is a very growing trend. It has been in the industry as he did, as you just said. I know we briefly had some content on it. While back in 2020, when you know, everything, as you said of going remote it was a very big issue. Everything had to go MFA. It was really important to get into zero trust just because of, you know, how easily available, you know, I'm happy to just get a compromised data with everyone going remote. So I think zero trust is a very big it's a very big trend and it's going to be this way for a very long time. It's good for, you know, by biochemical, often Palm positive to be involved in zero trust.
Kimberly Johnson:
Yeah. The last thing I'll say about that is if you look at the executive order, right. That Biden just signed out for federal, guess what it mandates zero trust. So anybody that wasn't bought into it or not, you know, thinking about it you better believe it's coming. Yeah. It's definitely the way for security. So anyway, that's, again, most of these topics we could talk about for a whole podcast.
William Papa:
Oh, a hundred percent. Yeah. Especially password lists. That's we have a field day with those topics.
Kimberly Johnson:
Oh yeah. Oh yeah. One of my favorites.
William Papa:
So Kim, if our listeners want to learn more about the topics we covered IBB and or mobile auth where should they go?
Kimberly Johnson:
Yeah, sure. So the BIO-key websites, bio hyphen key.com. We have a multifactor authentication page and you can easily get any information on MobileAuth or any type of multifactor authentication that we do offer. That's the thing I, I think I'll put in closing is that you know, identity bound biometrics, the MobileAuth with Palm positive is the future. It it's something that you can use today for all those use cases. We just talked about when you come to multi-factor, however, you have to have options and you have to have flexibility. And so it's really important that you can figure security policies, you enforce the authentication methods that that user group or individuals can use and have a solution that can move you to the future and be ready for you to adopt things like identity found biometrics. So yeah, I would recommend everybody goes to the bio key and clicks on free trial. I'll give it a shot. And then, you know, always contact us if there's any more questions.
William Papa:
All right. Thank you, Kim. And for the overview on why traditional MFA is failing us, and now there is a different way to authenticate as mentioned, visit BIO-key www.bio-key.com and learn more, especially on the multifactor authentication page. And that concludes this episode of impulse. Thank you for listening to the show. Again, if you want more information or to the story, other episodes, go to bio-t.com or check out the other episodes, talking about more news. And I am talk to you guys soon.