Podcast Resources 1280 8

Contextual Authentication Configuration & User Segmentation

Contextual authentication also known as risk-based or adaptive authentication attempts to strike the perfect balance between security and convenience. The concept is simple - enforce the appropriate level of authentication for a specific user under specific circumstances. In this episode of IAM Pulse, we discuss the best practices for setting up a strong rule hierarchy to make Contextual Authentication work for you.


Listen to the podcast:

Spotify | Anchor.FM | Apple Podcasts

Transcript:

 

Kimberly Johnson

All right. So we will jump in and introduce our bio key team members. So first, um, I'm Kim Johnson, VP of product marketing, um, really, uh, helping, uh, do the moderation today with two of my teammates, I’ll let them introduce themselves.

 

We do like to do a brief bio. So I've been with, um, BIO-key since last August. Um, but this is my second tour with portal guard. As we say, having worked, uh, with portal guards in 2009 to 2013, I've had a career in IAM and cybersecurity ever since, um, and fun facts. We always do a fun factor, introduce ourselves. Um, I decided is that I have a brother, uh, my only sibling and he works for Epic games. Uh, so I grew up in a household, as you could imagine that I have great skills in things like magic, the gathering final fantasy and Warhammer. So for all those gamers out there that know at all what those things are, um, I'm in your camp. I have some of that knowledge. So with that, I'll turn it over to Christopher Perry, quick intro and fun fact today, Christopher. Okay,

 

Christopher Perry

Awesome. Uh, yeah. So my name's Christopher Perry, as you can see, I'm a senior technical support engineer with portal guard. I've been working on support for [inaudible] for about five years now, little over and, uh, additional 10 years of support and customer service and issue resolution prior to that. So I'm no surprise to these kinds of conversations, a brand new fun fact about me. Uh, I was actually premed for a while until I realized that I hated Math. Uh, then I decided to go into the technical field and learn a whole bunch of new skills that involve math. And now I realized that I just hated count two. So living you learn,

 

Kimberly Johnson

Oh man, that was a, that was a tough course, but yeah, I'm glad you found I am in the end. I mean, where we all end up. Um, all right. And Kevin, over to you, short bio and your fun fact for the day.

 

Kevin Wiser

Okay. Uh, well, hi, Kevin wiser, um, solutions architect. Uh, I've been with bio key for a little over two years. Um, and I've been in the IAM space for one really specifically in advanced authentication, uh, for a little over close to a decade. Um, and then in 94 as a society then, and started out as like a support tech and, you know, for, um, a better part of 20 years. So, uh, my fun fact, um, is that I actually broke my arm and my leg in one accident in two separate events. So I rolled over a golf cart when I was 17, uh, on a golf course, goofing around with some friends. Um, and when I did, so I tried to step out of it, rolling over and I tore my left leg out and broke it. Um, and then tried to put weight on it and it dislocated. And I put my arm out to catch myself and I shattered my forearm, both bones, the during the radius, uh, it took 18 screws and two plates to put it all back together. So not many people can claim something like that.

 

Kimberly Johnson

So your bionic a little bit of bouncing in there, but we're glad you're okay. Note to self, you know, don't tear around with a golf cart on the golf course, I guess, but, uh, um,

 

Kevin Wiser

Depends on which way you rotate it. Kim, that's what I learned in the end is one direction it's fine. And the other direction, it's not as fine.

 

Kimberly Johnson

They'll laugh maybe. Right. Depends on which way you're going. So what is contextual authentication or any of those other terms really mean? Um, just a high level definition. Christopher, can you start us off with that?

 

Christopher Perry

Sure. Um, I actually like to just refer to the source of the word itself. So contextual authentication is really about judging the authentication based on the context. So to boil it out just a little bit more high level, it's about taking some aspect of the scenario, whether it's the IP address or the browser that you're using, things of that nature to say, Hey, you have to do two factor or conversely, no, you don't have to do few factor. In fact, we're going to just block you, right. And it's just adjusting the authentication requirements based on the login itself, not the person necessarily,

 

Kimberly Johnson

Right. So the context of their situation. Um, and I know that there's multiple pieces of context that some folks, you know, that you can basically pull in and look at, um, Christopher, what are the ones that right now portal guard supports in terms of the different pieces of context we can use?

 

Christopher Perry

Not sure I already kind of threw out a few of the more obvious ones, uh, IP address geolocation are some of the big ticket items, uh, browser enrollment, whether or not you've actually performed to factor in that browser is another really good one. Uh, and then obviously things like, uh, time or anything like that or another one. And then the last one, uh, not used very frequently, but still popular is, uh, basically the wifi security. So if you're on a secure or public network, those kinds of

 

Kimberly Johnson

Right. And we hear about the geography one, I think often, right? Those are the stories where, uh, actually we had a customer, I worked with it and said that they had, uh, a worker who was supposedly working in California. And once they implemented contextual authentication, they started realizing that they were actually working out of Utah. Um, and so things like that, uh, you don't necessarily know until you set up the policy to go block any access that's outside of the California office and that, that user has found out as not being there. So, um, I hear about geography a lot. Uh, Kevin, any, anything to add there in terms of, um, you know, contextual authentication, or do you think we hit most of the topics?

 

Kevin Wiser

Oh, I mean, I think you hit most of the topic here. Um, you know, it's, it's really just a, a solution to, to have the system, you know, define when, when a user should be prompted for more or not, you know, or blocked or allowed or not. Um, and you know, I mean, like I said, you guys really kind of hit all the nails on the head. I don't, I don't have a lot to add there beyond that camp. Yeah,

 

Kimberly Johnson

No, no. I think it, actually, it reminded me sometimes we, we phrase it as the appropriate amount of authentication for the situation. Right. And I think it's, it's like Christopher said, you can fill out block a request, right. So that goes to more of the extreme and, and potentially, you know, everybody's about zero trust and not letting things in until you trust them, et cetera, you can really lock down access, but it gives you the flexibility to go the other direction. Right. With the knit up a little bit, if you know that they're in the right context for the access that they're, they're requesting.

 

Kevin Wiser

Yeah, absolutely. I think that's really clutches is like, I think there's maybe a view or an assumption that what, like, you know, this is always going to be about limiting what behaviors are user is allowed to do. Right. You know, or, or what, what access I'll go to allow a user based on that. And sometimes it's, it's more about being more permissive, you know, if they're in the office and they were, you know, um, you know, like to charter that by like an IP range or something. Um, and they're from a system that I recognize and, you know, maybe they had already authenticated this morning with MFA. Um, you know, then, you know, aren't, I pretty confident that that's who they say they are and they're the type of person I want, you know, doing XYZ. And so, you know, sometimes it's about being more permissive than restrictive. And I think that, like I said, that there's kind of a, an assumption there that this is just really about like, you know, blocking attackers and not necessarily about helping users, but, but it can be both.

 

Kimberly Johnson

Right. Right. And I think that somewhat goes into the next benefit, right. Where, I mean, out of all the, you know, what our, we always say 15 plus authentication methods that we offer, you have this huge, you know, um, plethora of options to choose from, but contextual really lets it be more dynamic. Right. It's really going to let it balance the convenience and the security. Um, what are some of the other key benefits, uh, either Christopher, Kevin, that you've also called out or maybe in that same vein, um, that you've seen customers experience or this is part contextual authentication?

 

Kevin Wiser

Um, well, you know, I, I, like I said, the permissiveness is, is a big one and, and being restrictive. Um, but some of the nice things that you can do, um, you know, that kind of tie into that, um, are, you know, the analytics reports that come along with it, right? Like you had, you'd mentioned this user coming out of Utah. Um, you know, a lot of times when you implement these kinds of policies, um, you know, you learn some stuff about the way that your users, um, are utilizing their systems. Right. And that's one of those kinds of like occasionally hidden benefits where it doesn't maybe like pop out on the screen at you. Um, but you know, I mean the world is behavioral analytics is, is like an entire industry in and of itself. Right. And I mean, you know, this day and age, you know, you look at like Facebook and, and, you know, um, the customer is the product.

 

Kevin Wiser

Right. You know, I don't want to get into that too deeply apologize, but like, you know, it's a whole thing, right. I mean, it, it exists and it's, it's like, it's its own set. Um, you know, and you can really learn some interesting things about your users and how they use, you know, your systems. You might even learn something. Um, you know, you didn't realize that you had a lot of users, um, dialing in to access Salesforce because they, you know, didn't have access externally or something. You know what I mean? I don't know if that's a good example, but you can learn a lot.

 

Kimberly Johnson

Yeah. Yeah. That reminds me of, um, I've heard oftentimes customers talk about single sign on and apps to single, you know, single sign on to applications, let some figure out shadow it. Right. Just by nature of having to integrate those applications while the person's going to have to let you know they're using the application in the first place. So like you said, that's a interesting, kind of hidden benefit to contextual authentication. Um, Christopher, how about you, any tangible benefits you've either seen directly with customers, um, or kind of high level benefits you don't think we've hit upon yet?

 

Kevin Wiser

Yeah. Uh, probably the, the biggest one that comes up a lot, once you get on with the conversation, but is the ability to balance the usability and security aspects because when you're trying to deploy multifactor, uh, one of the most common things that come up is, Hey, my users don't like this it's too restrictive, or they they're always having to do two factor, et cetera. How can I make this easier, but not reduce the security to a point where it's kind of knowing void contextual authentication helps to address that issue by allowing you to find that balance and kind of strike it relatively easily, but within a flexible nature. So you can say just like Kevin was saying earlier, Hey, there are certain conditions under which you don't have to do two factor. Cause it doesn't really give you any additional benefit.

 

Kimberly Johnson

Right? Yeah. It's too, it's too restrictive. Right. Essentially you're enforcing stronger authentication than is actually necessary for the situation at hand.

 

Kevin Wiser

Yeah. No, that's a really good point too. I mean, that's, that's the big one, right? Like, you know, is again, do, do I trust the user that's at my facility, but sitting at one of my computers that's, you know, signed and I've done a,

 

Christopher Perry

You know, a push off indication maybe with like, you know, cause we support a duo push or like, you know, I mean, I, there are certain situations where I should be able to have such a high confidence in who this person is and what they're trying to access, that I shouldn't have to bother them anymore. And that's, you know, that's a really nice potential, you know, because we talk all the time about, you know, how, how long it takes to enter passwords or how long, you know, throughout the day. Right. Well, it only takes a few seconds. Okay. If I do that 30 times a day, that adds up right. And that adds up over a workweek and that adds up over a work year. And that's potentially a lot of lost time at any time that I can, you know, reduce those kinds of like obstructions to productivity. Um, you know, those are, those are ROI potentials

 

Kimberly Johnson

Right now, 100%. And I think, you know, what I've seen is the, the zero trust talk track has come in quite a bit. Um, and I think that there's, there's a lot of concept around that in terms of making sure that you're only trusting things once they're, you know, verified, validated, um, vetted identities, et cetera. But there's also the concept of trust in, you know, enough in the context of the user to then augment the situation, augment the authentication. So I think it's a fine balance and I, I see organizations trying to go one way or the other. Um, and I think contextual authentication, at least from the benefit I highlight is doesn't force you to decide. Um, so just as much as you can give options for the authentication the person has to do, it gives you also that additional layer of flexibility for not only the options at the point of authentication, but what level of authentication are we going to enforce? So there's definitely a granularity there. Um, and I think that's a little bit of a hint to the next question, um, that we, we definitely kind of joked about when we were prepping for this, but what's the key challenge, right? So we're talking about all these fine-grained policies and everything I'm hinting at it, but, um, Christopher, what would you say is, is probably one of the key challenges that customers have when trying to put contextual authentication in place?

 

Christopher Perry

Probably the biggest one is lack of understanding of the scope. Uh, and I know that's kind of vague, but it really comes down to not simply saying, Hey, I want to implement contextual authentication to potentially make things easier for everybody, but it's actually understanding what that means for your environment. Um, too often people look at this and you can see it printed on there as a logic puzzle. Uh, too many people will look at it and say, Oh yeah, there's way too many things that I have to configure. When in reality, you might only need to configure one or two different settings and going in knowing precisely what you need to change is going to help streamline that a lot that, and obviously test, test, test. You can't say that enough, especially when it comes with two, excuse me, contextual authentication. You really have to know what you want and test and prove that yes, this is in fact actually what I wanted.

 

Kimberly Johnson

Yeah. And so expanding on that a little bit. Um, I remember when we were talking about this, uh, in preparation for this discussion, you called it logical acrobatics, I think maybe was maybe the, uh, the term you use, but how do you think about this? Should people look at the forest first and then try to segment out groups of trees or, you know, if you're kind of going that analogy, do they get right into the individual users and the trees first or what, what type of approach have you seen work best?

 

Christopher Perry

Uh, I think it's always better, at least from implementation standpoint, to look at the forest before you dive in into the trees, really. Uh, because you'll, if you start to laser focused, you'll almost always find that, Oh, this scope didn't include this group of users. And wait, now that they're in, that's a whole new IP range or a whole new device type that I have to manage. Now I have to go back and update this policy to expand it from there. When really, if you started out and then kind of tweaked it while moving in, it ends up being a lot easier to manage and a lot easier to think through. Uh, one of the reasons I say logical acrobatics is when you start throwing multiple conditions of different types at each other, and then trying to align those to a specific authentication type, whether it's, Oh, Hey, if X and Y are met, but not Z, you have to do two factor.

 

Christopher Perry

But if X, Y, and Z are met, you do have to do, uh, or it's blocked access trying to keep all those in line can be a little hairy if you're not sitting there with a clear scope of where all the supplies. Um, and then of course, we like to add wrinkles into the thing by giving you more flexibility in saying, Hey, in fact, you can actually invert those to make it a not condition. And I talked about this a little bit in preparation with Kevin too. Like yeah. As soon as you put the word, not in there, even people like me who finally have a grasp of, you know, logical operators are going to sit there and like, wait, how does that work again? And sometimes it gets me to, so again, just being clear on what you want. And like you said, Kim, starting by looking at the forest and not getting lost in the individual tree initially is probably a good help.

 

Kimberly Johnson

Yeah. And so, so even just talking about that, right. The XYZ combinations it's really if then, or statements, right. You can get pretty intense. What type of, if I'm trying to picture a project plan to implement this, what have you seen customers bring to you that you think worked really well? Um, or maybe lack thereof? Like, is it actually a project plan and you map each, you know, um, group and individuals to the type of controls that you want or what, what's the approach there, just to help maybe visualize that a little bit more

 

Christopher Perry

Sure. Uh, in terms of portal guard, uh, the biggest success that I've seen comes with starting with the high level questions of who needs two factor authentication or who needs contextual authentication. But in most cases, that conversation starts with who needs two factor authentication because when you're looking at contextual, it comes down to do we want to block access, provide two factor authentication, or just let them in normally with a username and password. And you're really looking at this from a security perspective. So you start with the high-level question who needs to factor or who needs these conditions. Great. Is it everybody? Yes. No, if no, let's get the specific groups and then you drill down from there again, into, okay. Under what conditions do we really need this, you know, extended authentication, we'll call it. Uh, cause I don't want to keep harrowing in, on a contextual until we've really gotten a full grasp of it.

 

Christopher Perry

So it's like, you know, everybody, you know, nailed down the groups and then start looking at the specific user scenarios. Um, and then from there trigger the conditions and start looking at it. So, okay. So we've got all of these overlap, so I've got three groups just for example, uh, I've got three groups where I don't care if they do two factor on the network, as long as they've done it once on that machine. Great. Now I can put all three of these together. I don't have to do three separate things all with the same condition for three separate groups. I can just do it once. So kind of again, starting out wider and then scoping. And once you have an idea of, Hey, here are all the users that need this. Here are all the conditions for these users. Where's the overlap. Let me configure it from there.

 

Kimberly Johnson

Okay. No, that makes a ton of sense. That makes a ton of sense. Um, as a reminder to the audience, if you have any questions about some of the things we're covering here, so how to configure this, how to tackle this logic problem or puzzle as we're calling it. Um, and, or even just about contextual authentication, uh, please feel free to submit some questions, um, in terms of kind of the, the options we can give users. Um, I know one of the things that comes up pretty often is passwordless. Um, so Kevin, I'm going to put you a little on the spot, but can you talk this really quick about how passwordless can be used? Like, let's say the context of the authentications, you know, checks out what type of passwordless options do we offer or could offer to our customers that are listening in, right.

 

Christopher Perry

Absolutely. Um, so I mean really in that scenario, um, you know, you can, and I'm going to refer to this passwordless is a good term. I'm going to call it single factor as well, because I use that term a lot, but, you know, there's, we offer bio key offers, um, you know, fingerprint, um, biometrics authentication. And later this year we'll be doing some work around facial and out of band authentic. We talked a little bit about this in earlier seminar, uh, or, you know, last week or the week before, but, um, you know, we'll be doing some of these like additional methods that are getting, becoming really popular. Um, and we're excited to expand those technologies, but basically where those go is like, you know, if you consider, you know, our advanced authentication or biometric advanced authentication, um, you know, we could do something like RPG, desktop app as an example, um, where you're doing a windows and you've,

 

Kevin Wiser

You've trusted the user because they did some SSO sign in or that kind of thing. Um, or an even better scenario actually, uh, is an unlock scenario where we could do something like if we trust the user because they signed into, uh, their windows, desktop, or their portal guard session, uh, with an advanced authentication method and they passed all the other contextual checks previously. Um, we can allow them to, let's say, lock the computer and go to lunch. And then they come back to sit down and, you know, and we can allow them to just use that, you know, single factor, their finger or their YubiKey, uh, or their duo push or, you know, whatever method, um, you know, we've determined as admins that the users, uh, should be allowed to have, uh, we can allow them to just unlock that system, uh, without having to gate anything in front of them or require an additional password to do, uh, a full two factor or multifactor in that scenario.

 

Kevin Wiser

And that can be really powerful. I mean, like I said, we were talking a little bit earlier. I was at least about that, uh, you know, the time that it takes to, to enter passwords and yeah, it's a couple of seconds, but again, over the course of a day, if I do that 20 times, well, okay, now you're talking about a minute or two, and then, you know, if you extrapolate that over a week, okay, well now that's like 10 or 15 minutes of my employee's day or my employee's work week. And then if I extract, I mean, that's a break, right? That's like an extra break basically that they're taking, you know, in time what's that blends. We're not getting exactly. Um, you know, and so, you know, extrapolate that over a month or two a year or over a career. And you're actually talking about potentially a significant amount of time. Um, you know, and, and, you know, the drive in industry, I mean, has been for decades, you know, productivity, productivity, productivity, productivity, this is where we, you know, we, we gained profitability. Right. Um, and you know, that plays into it.

 

Kimberly Johnson

Yeah, no, I think you're, I think you're spot on. And the reason I bring up the passwordless is Christopher. I think you made a great point, which is look at how you're going to control things, right. Especially starting with MFA. Um, and then it's kind of on that spectrum of like blocked to letting them in right. Completely, which I haven't seen that very often, but, um, basically it gives you that kind of range of things to choose from. I think passwordless is on kind of that over towards the convenience side of that range. Um, but it's definitely worth mentioning for sure. So,

 

Kevin Wiser

Absolutely.

 

Kimberly Johnson

Um, and I do have a question I am going to ask Christopher one more question, uh, while I read this one, David, I could see your question. I'll get to it in one second. Um, the other question Christopher, I wanted to ask you is these policies are intertwined right. And configuring them and sending them up. But fun question is when should you revisit them? So, you know, in terms of setting, what criteria you have user groups, when are you seeing people revisit the, the system that they set up or the hierarchy of user segmentation, um, and what would you recommend?

 

Kevin Wiser

Sure. So frequently it comes down to whenever you have new users to considers is tends to be when people I've worked with tend to actually

 

Christopher Perry

Go back and say, okay, is this still a good policy? I always say for contextual, because it is trying to strike the balance between usability and security. Uh, you should really be setting up kind of a regular time to at least go in and review that these conditions still make sense for these users. Uh, the way I like to think of it is for like a big corporation, uh, especially one that likes to promote from within, um, you might have a group of users that are, Hey, these are interns, okay. Interns don't have access to anything. So even if you were to compromise their credentials, all they can get into is to be able to read their own mail. Uh, so we don't necessarily need them to do two factor if they're online, but if you set up all those policies based on the username, if that user gets promoted to a full staff member with administrative rights and the contextual never changes for them now you've got an potential admin who's not required to do two factor can get in on a dime.

 

Christopher Perry

And if they are subject to a phishing attack, the contextual is not going to help prevent them from accessing anything. So having a good plan in place, whether it's quarterly or even by annually, something like that just regularly going through and say, okay, do these conditions still matter for these users? The other flip side to that is, uh, evaluate how you're actually defining the policies. Um, the example I just gave referenced user specific definitions, which for the reason I gave are not always the best because they don't account for shifts in the backend corporate procedures or policies that should apply to that user. If you use something like group access to define the restrictions, then you have a little bit more leeway to say, okay, anybody in this group should only ever have to do to FAA under these conditions. And then it comes a matter of reviewing your groups on your actual domain, but standard best practice for, in my opinion, any authentication scenario is to establish a regular review of the requirements to make sure they still make sense because this field's always evolving. There's really no legitimate reason to expect that all these MFA conditions are always going to be valid all the time.

 

Kimberly Johnson

Right. Right. And it sounds like there's, time-based kind of check-ins that you'd want to do, but then there's also situational, like you said, if a group changes or access or promotion, there's kind of these, uh, situational events that happen, that's, that's worth revisiting. Um, so I do want to get to David's question, David, thanks so much for submitting. Um, you didn't miss this point and I think we didn't cover it earlier. We kind of touched upon it, but, um, David's question is what are the contextual based authentication criteria is defined for portal guard specifically? Um, and so it seems like the questions around the Azure ID, um, contextual authentication or access. And so, um, anything there, uh, Christopher, Kevin in terms of, uh, maybe just recap on the, the context can configure based on, um, and if you, either of you have any information on the Azure ID side of that, that would be great too.

 

Kevin Wiser

I'll defer to Christopher he's, he's got more knowledge on the nuts and bolts of this than I do. That's for sure.

 

Kimberly Johnson

Kevin's our resident biometric expert, by the way, he a walking, talking, eat, sleep, breathe biometrics. So we'll get to give you time, Kevin too.

 

Christopher Perry

Sure. Uh, so with portal guard, again, I'll cover those real quick. Um, you have certain conditions like IP address geolocation, which interestingly enough is a variation on specifying an IP range. Uh, you also have registered devices, uh, in this case, we defer to the browser for that particular condition. Uh, and then the time, so actually like time of day, uh, and wifi security or other options that portal of supports in comparison to the Azure, uh, Ady contextual authentication, uh, the things like unmanaged devices. Um, again, uh, Azure has this thing called hybrid join devices where they actually put a little bit of a mobile device management, maybe not mobile device management, um, integration on the device itself, uh, which does give them a little bit more access to the unit. Again, that's a lot more setup that you have to do as an organization, uh, portal guard.

 

Christopher Perry

On the other hand, it actually differs to the browser, not the device itself, uh, in most cases, uh, to automate that process. Now the flip side of that, right, is if you're using the browser and they do something like a Tor browser or an incognito mode, um, that browser forever going to be seen as you unregistered. Uh, so they'll, you know, for the one session, they might only have to do two FAA ones, but the next time they try to log in, it's going to be flagged as not a registered browser and they'll have to do it again. And again, that is by design. If you can't keep the browser registered, then you have to keep doing to TFA. So yeah, for the most part, there's a lot of overlap there. Uh, but it, it really ties down to how it's implemented a portal guard. Doesn't have the direct tie into the devices that Azure Ady does. Um, but the flip side of that is it's a lot less setup and maintenance on that end.

 

Kimberly Johnson

Yeah. And to piggyback on that, um, even that was over my head, I can tell you that in terms of my expertise on contextual, so that was great. Christopher digging in and comparing those two. Um, it also reminds me, I think we were talking about this before, when we first developed like way back in the day, contextual authentication for portal guard. And then there was a lot more factors and a lot more, um, contacts, but you have to be careful about a, how reliable it is, B how consistent it is. Um, and so, you know, it's, we've definitely gotten it honed down to be the best version of, of these attributes that we can look at and now continue to build upon those as to what we think are really important or what customers are looking for. So, you know, some of those things I've seen throughout the day as you expand and contract the context that you can bring in, um, has happened throughout kind of the development of this as a concept in most IBM platforms. So,

 

Kevin Wiser

Okay. Well, I think it's important because Christopher had hit on this too, and you just did, but, but just want to highlight it. I mean, you know, a lot of times user access or, or, uh, you know, from the location individual user, what types of things they need to access is a constantly moving target, right? Because, you know, someone goes through a promotion or takes on a new responsibility. Someone takes on a responsibility while someone is on vacation. Um, you know, those, those things shift frequently. And, and so it's important to pay attention and to have some flexibility built into your system and, and into your contextual plan, that to get, to show your medication plan that allows you to account for edge cases.

 

Kimberly Johnson

No, I think that's, um, it's interesting. Cause it reminds me of working in healthcare, you need to know people's workflows or what their day is. Right. Um, and even over the past year, we've seen a lot of change in people's working environments and situations. Um, so, you know, implementing it is, is definitely possible. It is a logic exercise, I think in a lot of ways. Um, but once it's configured in an in place, you know, the benefits on both security and usability side, I would say are just above and beyond basic MFA. Yeah.

 

Kevin Wiser

And if I, if I can't, I don't think we've really hit on this yet, but I mean, that's where it becomes so clutch, um, potentially to be thinking about pilot groups, pilot users, pilot groups, even in a larger group. Right. So you can get some feedback on, does my plan work before I'm impacting, you know, an entire group of users I'm hopefully only picking on, you know, my, my pilot group and not, not beating up on everybody else was something that doesn't work.

 

Kimberly Johnson

Yeah, exactly. The rollout of it. Um, and is that, is that what you would both recommend, I guess, is the gradual rollout of this? I mean, I know we recommend it with multi-factor for sure. You don't wanna just turn it on. Um, is that the point here is what I'm hearing, Kevin, you saying we hear Christopher A. Little bit of a subtle

 

Kevin Wiser

That for me, absolutely. I would never just flip the switch on something like that. Especially when it comes down to, did I get my logic stream? Right. He like, you know, not just like, is it on or off, but is it on or off in all these like weird eventualities? I mean, it almost becomes like it's not, but I mean, it's almost like a quantum problem, right? Like, is it in one state or is it the other, have I measured it yet or not? Um, you know, so like for me, I'm always big on pilot groups, lots of communication before I ever did anything like this to my users when I was assist admin, I definitely, would've made sure I'd sent out a couple of emails a couple of weeks in advance, Hey, by the way, we're changing something, we're turning this on, we're deploying this new thing, you know, be ready for it, you know, et cetera, et cetera. Um, you know, communication and pilot groups for me are, are like big, whether I'm turning on contextual authentication or I'm moving to office 365 you know what I mean? Like, like it doesn't matter, like, like those things are always important test, test, test, test. Right,

 

Christopher Perry

Right. Yeah. And I'm gonna piggyback on that too. Like I said before, test, test, test, he can't say it enough, but even if you ask any other customer who's ever worked with me, if you submit us for issue even about the contextual authentication or pretty much anything else, one of the first question I'll ask is, did you do this in test first? Uh, because that should always be the first step, especially like Kevin saying when logic is involved, because it is just too simple to say, yeah, no, that absolutely makes sense. This is exactly how it should work. I'm going to roll this out 1500 people. And then 10 minutes later I've got 800 calls on hold and my help desk going. Yeah. Now I can't get into my system. What did you guys change? And it's all because, Oh, actually that's a nod. So this is a negative, Oh, sorry, let me uncheck that and figure that out within five seconds of putting it on a pilot group. Um, so yeah, you should, if you're thinking, do I need to test this? The answer is yes. I don't even need to know what the rest of the question is. That's the answer.

 

Kimberly Johnson

Yeah. I think that's a key point. I also learned like, don't start with your doctors if you're in healthcare. Uh, and, and you're probably not the first person I would go with. Um, but I think this is, this has been great. You know, I think it's a good coverage of what is contextual authentication or the key benefits, right? Uh, in terms of a quick recap, right? It's, it's the way to really balance security and convenience for users. You can tighten up authentication when you need to, especially when the context is showing something that might be higher risk, but then loosen that up for costs for users, customers, and employees that basically can show their contacts is in a, in a reasonable, um, digestible security for you. So I think that's really key. Yes. It's a little bit of a challenge. I think we've called that out today.

 

Kimberly Johnson

Um, it is a logic puzzle, um, and requires some forethought and planning and strategy and segmenting your users. Um, but it's absolutely possible and is honestly become a key staple of many. I am strategies we're seeing all of you and our prospects as well using.

 

Kimberly Johnson

We're more than happy to schedule a customer success call with any of us on the team, uh, to talk about your requirements, make sure you're getting the most value out of the solutions you're using. Um, and with that, I will thank everybody for joining today. Um, and of course my sidekicks for this session and series, uh, Kevin and Christopher. Thank you so much. Great session. Great. Yes. Thank you. Great. Thanks so much. Have a great day everybody.

 

Anyways, that wraps up today’s episode of IAM Pulse. Thank you for listening to the show. If you want to hear more about making sure MFA goes smoothly in your organization, go to our website: www.bio-key.comJoin us next time to learn more about IAM and how to secure identity the way that you want. Talk to you soon.