The session features host and Mobile Mentor Founder, Denis O’Shea, Yubico Solutions Engineer, Shakeel Aziz, Microsoft Cloud Endpoint Technical Specialist, Nick Cordova, and Mobile Mentor Digital Identity Lead, Demetrius Cooper.
During the conversation, the group discusses Microsoft Entra, passkeys, and Zero Trust for identity.
Read below for a synopsis of this conversation on security keys for passwordless.
Where is the identity space moving to?
Nick Cordova: Microsoft plans on continuing down that path of getting our customers to be completely passwordless. From a product standpoint, we are rebranding our identity space, which you may have heard of as Microsoft Entra. The Entra brand has products that are Azure AD and Microsoft Entra Permissions Management. Being able to provide that comprehensive visibility into other cloud providers, not just Microsoft is going to be very beneficial to organizations in the future as they spread out their services through multiple vendors and cloud providers. Where we see a lot of the focus is on permissions management and visibility into what identities are used and where. That’s the next step and the North Star for organizations on their identity journey.
What is the future of identity in terms of security keys?
Shakeel Aziz: One thing that you may or may not have heard of, depending on how closely you’re following the space, is this new term called passkeys. Passkeys are the next evolution of a FIDO for passwordless authentication. It’s actually a term that was coined by Apple. Yubico is also going to be running with pass keys as the new term. Passkeys are the next evolution of password authentication. It’s important to know that passkeys are using FIDO2 technology. It’s a FIDO2 authenticator meaning that the underlying mechanism of the authentication is still FIDO2. It’s still the same technology that we’ve been using for years. What’s going to change is the mobile device platforms, the identity platforms. Taking the actual possession of the credential and syncing across ecosystems so that you can use that credential across a variety of devices that you own.
If you were to log in today to your Microsoft 365 account you use a username and password and then multi-factor authentication, that’s how it is typically done. Potentially in the future, you’ll be on your mobile device – if it’s an iPhone, Apple would prompt you to create what is essentially a FIDO2 credential instead of a password. It would then store that in a manager for discoverable or cryptographic credentials and then sync them through the keychain. What you can do then is pick up another device and use the same credential because it is the same credential. You can essentially repurpose that credential across the ecosystem of devices that you use. The idea is to make it even simpler for users to adopt passwordless authentication where you don’t have, to remember a password or store it in a password manager. The idea is the same except the credential is no longer a password. And the authentication becomes much easier for users. The idea behind that is to increase adoption because it will be so simple that the platform vendors will now be taking on the responsibility of managing that credential for you.
One of the current issues is having to switch between devices. We all own five or six different types of devices and we want to be able to log in to any of the devices with the same credential that was created when we registered with a specific service. That credential is copied over across the ecosystem of your devices. That’s where we are today. We’ve seen some of this at the Apple conference when they introduced passkeys in the iCloud keychain. We’ve seen demonstrations of it and it’s really cool and interesting technology. Yubico has put a lot of work into developing the standard. We’re going to see that the technology is going to be continuing to be used, even though the YubiKey, itself, is still a passkey. It is still what we call a device-bound passkey meaning the key itself that the private key or the credential keypad that gets generated gets stored on the device.
With the passkey, that credential is actually sent across to the platform vendors, for example, the cloud, Apple’s iCloud keychain. That’s really the difference between the two. Can you use a passkey and a YubiKey at the same time? Sure you can. Because the technology is essentially the same. We’re going to see more developments come out of passkeys as the FIDO alliance is also continuing to develop the technology for use. We’re going to be seeing a lot of change over the next few years. I think Apple jumping on board and will push the envelope. Not only Apple, Microsoft, and Google have also now committed to passwordless. I think we’re going to be seeing a really exciting time over the next couple of years.
What can we expect for the future in terms of Zero Trust?
Demetrius Cooper: For Zero Trust in general, I can see fully autonomous identity systems collaborating to continuously evaluate authentication. It’s known now as a mesh architecture where you have all these independent systems, whether it’s Microsoft with Azure or Google’s cloud identity or even a decentralized identity, something similar to a verified ID. Those identity pieces will all collaborate together, and they’ll all talk to each other. They’ll all sync.
You’re even seeing it today with cross-environment compliance policies, where you configure these policies, and you associate this trust based on the standards of your organization. I can see that the future, this mesh architecture where all of these pieces work together to provide a great end-user experience that is secure and continuously adjusting is the way of the future.
Denis O’Shea: You just reminded me of the past when we used to talk about the triangle, where you had to choose two of three-do you want better security. Do you want lower costs? Or, do you want a better end-user experience? I’ve been in and around technology for 30 years. I don’t think I’ve come across a breakthrough like passwordless that actually addresses all three because it genuinely improves security and the user experience, and lowers cost. It’s really a generational shift.
Once upon a time, we thought telegrams were great, and then fax machines came along, and then pagers came along. Once upon a time, we thought that passwords were wonderful. But now we know beyond all doubt we need to move past passwords as quickly as possible. We need to go passwordless. And sadly, some organizations will wait until they get hacked a couple of times. Others will say, we’re not going to wait for that day.