A critical assessment of WebAuthN – this year, next year or never? Olly Brough, Trusona – Podcast Episode 62

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Spotify | Pandora | Email | TuneIn | Deezer | RSS | More

Let’s talk about digital identity with Olly Brough, Managing Director of EMEA at Trusona.

In episode 62, Olly discusses all things WebAuthN – including what it is exactly, when and why you would use it, cost savings enabled by WebAuthN, how secure it is compared to other standards, and how easy it is to use and deploy.

[Transcript below]

“WebAuthN is the most exciting development that I’ve seen over the last four and a half years working with Trusona”

Olly Brough is Managing Director of EMEA at Trusona Inc. Olly has built his career delivering best in class payments, anti-fraud and identity solutions to leading retail, financial services and public sector clients working with a variety of high growth technology companies in Europe and overseas. Prior to joining Trusona Olly led European sales and marketing functions of privately-owned technology businesses through to successful exit including QAS; an identity and data quality business, Eiger Systems; a consumer payment collection platform, Cambridge Global Payments and cross border bank payments service and 41^st Parameter; the online device intelligence platform where Olly previously worked with Ori Eisen.

Find Olly on LinkedIn.

Find out more about Trusona at trusona.com.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

­Go to our YouTube to watch the video transcript for this episode.

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Authentication without passwords is the goal that many businesses have already set, but very few have delivered. Now, WebAuthN is one of the standards that we hear the most lately. So today we’ll have a critical assessment of WebAuthN. And we’ll see, is it ready to deliver its promise? And for that we have a special guest who is Olly Brough.

He’s Managing Director of EMEA at Trusona. Olly has built his career delivering best in class payments, anti-fraud, and identity solutions to leading retail, financial services and public sector clients working with a variety of high growth technology companies in Europe and overseas. Prior to joining Trusona, Olly led European sales and marketing functions of privately-owned technology businesses to successful exit including QAS; an identity and data quality business, Eiger Systems; a consumer payment collection platform, Cambridge Global Payments; a cross border bank payments service, and 41st Parameter; the online device intelligence platform.

Hello, Olly.

Olly Brough: Hello, Oscar. Good morning to you.

Oscar: Good morning. And welcome, let’s talk about data identity. But as always, I want to hear more about our guests. So please, Olly, tell us a bit more about yourself and how was your journey to this world of identity.

Olly: Thank you, Oscar. So yeah, my name is Olly. I’m based here in the UK. My focus is, as you said, has been very much around growing technology companies across Europe. I think I somewhat stumbled into the world of identity. I first joined, over 25 years ago, a data verification business that was at the time flexed on helping organisations increase the integrity of their name and address data for old style mailing campaigns, just before the internet was a big thing.

But of course, that morphed into identity verification, because once you have names and addresses and date of birth, you can then start to verify identities. And that business was acquired by Experian, the big PLC. Then really through that, my experience sort of morphed into identity verification. And then I got into the whole area of online security, which is where I am now initially through 41st Parameter, but now focusing on Trusona.

And then finally I dipped into payments along the way. But then payments, as you know, is also very heavily associated with the world of online authentication because payments can’t happen unless they’ve been authenticated in the right way. So yeah, it’s been an interesting last 25 years – long may it continue.

Oscar: Yes, super interesting journey, touching several industries so you say that were very close to identity. And excellent, OK, so we are going to discuss about especially WebAuthN, if you can tell us first what is that?

Olly: Yeah. Well, first of all, I’ll give it a little bit of context. Trusona was established over five years ago in Arizona, with great backing from the likes of sort of Microsoft and Kleiner Perkins. If I’m honest, we always would have hoped that progress would have been quicker in those early years. But I think many people have the vision to remove passwords and other static authenticators like less OTPs and the like. But I think to a degree, the technology has been the constraining factor in terms of standards that are available to use to bring more consumers into using passwordless capabilities. That’s been there a little bit more in the workplace type environment, but perhaps been a limiting factor when trying to authenticate consumers.

So WebAuthN, the question you asked is, what is WebAuthN and why would you use it? Well, WebAuthN I think is the most exciting development that I’ve seen over the last four and a half years working with Trusona. And it is a standard that has been adopted by FIDO. OK, now, W3C, the World Wide Web Consortium, created the standard. And FIDO, which stands for Fast Identity Online. And really FIDO is an alliance, an open industry association that’s mission is helping create standards to remove passwords from those secure interactions. OK? So they are bankrolled by the likes of Google, Apple, Microsoft, and all the usual suspects. And they have a common interest in helping to standardise on the internet so that we can better authenticate individuals and move away from passwords.

So in terms of explaining what WebAuthN is, then probably the best way to describe it is we’ve all now had that experience of being able to open an app and tap in the app to identify yourself, or at least most of us are familiar with that. I, for example, bank with StarlingBbank but you might have other services – where Starling bank, for example in the UK, forces you to use the app and therefore every time you want to authenticate or accept a card payment or move a payment, they will ask you to open your app and to tap in the app using face ID or your touch ID. And I think people now accept that if you have that app, then that is a really good experience for consumers.

The problem with that type of technology, which is stuff that Trusona has been helping people with, is if you do not have the app for the brand, so let’s say I’m trying to talk to my telco, and I don’t have the Vodafone app on my phone. Then Vodafone do not have the capability to ask me just to tap or look into the device to authenticate. Because that is only available if you have that relationship with a native mobile app, the My Vodafone app.

To put it into context, I’m trying to explain that problem and then that will explain why WebAuthN is a useful technology. The problem is if you take the telco industry, for example, then only about 18% of their customers have actually got around to downloading the app. So if you were posing a solution for telcos to authenticate their customers, then you’re proposing a solution that only addresses 18% of their customers, whilst the rest of the world, the other 82%, are still stuck with passwords and usernames and SMS OTPs and the like.

What WebAuthN has done is enabled that same tap in app experience but without the need to have the brand’s native mobile app. It effectively allows the likes of Vodafone to deliver the same experience, but through their mobile website, and using the Chrome or the Safari, or Microsoft Edge app that is installed on the device as the app, so that they do not have to establish that app-base relationship to have that tap and go experience of authentication.

So what WebAuthN really means is that when consumers pull their new phones out of the box, they already have the standard on their device. And there is no technology to be delivered to the customer to enable them to be able to cleanly authenticate to a brand, which means that now instead of 18% of people being able to do it, 100% of people can now have that same tap and go experience. Is that clear? There’s quite a bit of detail there.

Oscar: Yes, yes. I think a good idea is the way you clarified. First of all, you start explaining that there are already nowadays, in the last year, they already have been companies’ services that offer their own proprietary own branded authenticator app, mobile app, which authenticate or which, as you said, the user experience is normally good, that works and is secure. And now, to make it more accessible to everybody, that kind of app is just in every browser, at least in the browser who are supporting WebAuthN. Correct?

Olly: That’s correct. Yeah. It is available to everybody out of the box on all new mobile devices. And increasingly, it’s available on desktop devices.

Oscar: Yeah, definitely. It sounds super convenient. Of course, you don’t have to install an app. If it sounds so convenient, as you are describing it, why we don’t see this so much. Actually, I think once I try with GitHub, I try but I haven’t found, I haven’t heard many services that offer it. So is it really available now?

Olly: So first of all, let’s address the question as to whether it’s a technology that’s here to stay, or it might disappear in the next 12 to 24 months? The answer is it’s definitely here to stay. Today, about 85% of all smartphones in Western Europe have the capability already. OK? So I think that’s something that people don’t understand.

It is there. The reason there was a delay was that it took a little while for Apple and their iOS operating system to adopt the standard and that happened in September 2021. And now, as those updates have been updated to those Apple devices, there’s a very, very high penetration, it’s almost 100% of Apple mobile smartphone devices.

Coming back to your question about why haven’t you seen it out there? You will now increasingly, it’s being used by some of the core services that Apple and Google deliver themselves, things like Apple Pay and Google Pay and the like. But the challenge is, it’s really- until Apple came to the party back in September 2021, it’s been very difficult for people to deliver use cases. But now that it’s in place in the last year, we’re seeing an increasing incidence of projects using this type of technology. So it’s definitely here to stay.

The challenge is, you probably won’t realise that you’re using it, because the experience is very, very good. It is simply like just unlocking your smartphone device. And so you will be using it in instances that you have no awareness that this is WebAuthN, because why should you? You as a consumer, all you care about is being able to authenticate and get what you want.

Oscar: Exactly. So it means that it’s been already, let’s say for the last month, at least available on the services side, but not available because of Apple, Apple didn’t support it on their clients.

Olly: But now it’s in iOS 14 so it’s pretty much, unless you have a very old Apple device, you will have WebAuthN available on your device. As I say, I think the key point is it is being used, but people aren’t aware of it because you wouldn’t explain to the consumer, “Do you want to log on using WebAuthN?” They will say, “Do you want to use biometrics to log on?” And they’ll tap and that’ll be done, and they won’t think any more about it.

Oscar: Excellent. I think it’s a good time to hear about the use cases. So I’d like to hear which use cases are being used already.

Olly: So, where we’re seeing the most activity is really in two areas. And I’m talking about on the consumer side of things at the workforce level, then authenticator apps are pretty well-established as a mechanism to do second factor authentication. And you will now see on the workforce side, we’ve already got deployments whereby organisations are using WebAuthN instead of an authenticator app to passwordless the MFA into single sign-on environments like Okta, for example.

So that’s one area, the workforce environment where CISOs want to get rid of passwords, and they want MFA. And they don’t want to have to go around policing everybody to download and enrol to the authenticator app. They just want to move that overhead. So that’s one area.

On the consumer side, I’d say there are two areas of real interest to us. One is the customer services area, which has always been strong because people don’t realise the cost of passwords, pins and codes to customer services. Ultimately, if I can’t self-serve, then I will pick up the phone to customer services, which drives up costs. So it’s always, while security is important, really, the areas where good ROI is delivered is where there’s a real meaningful cost upon the business of passwords, usernames, pins and codes.

So for customer services, we are seeing a lot of interest in using this over chat discussions. If you have an open chat discussion, at some point, the brand will want to enable account servicing via chat. But they can’t do that, because it is very difficult to authenticate someone over a chat discussion. Whereas if you have the WebAuthN capability, you can literally just send a message that enables the customer to tap on the screen, look into the device, and they have authenticated themselves. And now they can move that chat journey into the account servicing level where I might want to change my address. And a lot of time chat discussions are limited to initial sort of high-level questions, but you always have to then pick up the phone if you want something more serious done. So that’s one area that we’re seeing quite good demand.

Probably the biggest is the replacement of SMS. So whilst this is not a true passwordless deployment, SMS is seen as a real pain for businesses. Why is that? Well, one, it costs money. So finance people don’t like it, that can be very, very expensive. Number two, it has a attritional impact and we’ve seen that with PSD2 and Strong Customer Authentication and payments across Europe. There are attrition rates associated with SMS of between 10% and 30%, OK? We’ve all had that experience where we tap a button and say, “Send me an SMS” and it doesn’t turn up and then you tap it again. And then you get two or three at the same time and then you enter the phone number, not the code. So all of that cost money or impacts conversion, which drives revenue.

And then finally, we know that SMS is not particularly secure, because it really is not a true possession factor. It’s the SIM card rather than the actual physical device, whereas WebAuthN strongly identifies the actual physical device. So for those out-and-out mobile login type experiences where there is a security requirement to have a second factor, then we see WebAuthN as being so easy to deploy.

So we’ve seen a lot of interest in the gambling sector at the moment for a very, very cutting edge with regards to customer experience. So instead of having to go through with those steps, the customer literally just taps on the screen, looks into their phone, and they’ve been strongly authenticated, there’s no need to remember anything or type anything. And they can get on with what they want to do, which might be placing a bet on the 2.15 at Haydock. So those are the use cases that we’re seeing early on.

Oscar: Thanks for sharing that. Very interesting, of course, you mentioned the workforce, the replacement of SMS which is widely used today still. And yeah, you have described why it’s not a good idea to keep using that. But there was also fun, quite interesting and I haven’t heard before is about the customer service using the chat. So yeah, definitely, it makes that kind of customer service via chat much more powerful.

Olly: Exactly. Because I saw a stat, I think it’s something like, I can’t remember what the numbers were and I’m going to be cautious not to misquote on this discussion. But I think generally speaking, we would now prefer to get something via chat than picking up the telephone, because you multitask, you can tap a message, “I need this, I need this, I need this.” And that, I think is a very powerful driver.

Oscar: Yeah, the chat person says, “OK, you had to call anyway. So you had to make the one-hour queue and then call.”

Olly: Oh definitely. And all the time the customer satisfaction goes down and costs go up. It’s just this whole digital transformation agenda is primarily it should be about, how can we serve the customer best? And I think this addresses it. And then secondly, of course the finance people will want to know, well, how can we do it more cheaply? And the good news to the finance folk is that it can be done more cheaply, and we can make sure that customers are happier and they’re retained for longer and they spend more money with the organisation. So who wouldn’t want that?

Oscar: Absolutely. So we’d like to hear now about the security. So how WebAuthN is secure, if you compare to other standards?

Olly: Yeah. OK. So let’s break that down. First of all, let’s break the security model down into simple terms. And really there are three factors that can be applied, there’s a possession factor, so something you have, there is a biometric, which is something you are, and then there’s knowledge, which is something you know. Now, if you compare WebAuthN to other standards, then let’s look at passwords, for example, passwords is a single factor, knowledge-based check. If I know it, I could pretend to be you, and I can clean out your account.

Now, on top of that, you might apply another standard to improve security, which we discussed earlier, which is OK, well, I’m now going to add on top of my knowledge-based factor, I’m going to add an SMS. SMS is often characterised as being a possession factor. And to a degree, you could argue it is because you need to be in possession of that SIM card, but then the message can be diverted or it can be phished in some way. And so really, SMS quickly becomes another knowledge factor. If I have that code, I can pretend to be you. And there are a number of ways in which that code could be diverted or moved to another party. So, if you look at the two-factor authentication using passwords and SMS, then if I know your password, and I can get your code, then I can pretend to be you and I’ve broken through that security model.

And what we see within customer services is even worse is knowledge-based authentication. So knowledge-based authentication is that experience of secret questions, Oscar, before I can change your address, could you tell me what month you were born? Again, anybody that has got the time and desire to want to break into your account, it’s not difficult information to obtain. And therefore, it is another knowledge factor that I can collect, and again, pretend to be you, OK? And there’s real challenges in customer services with knowledge-based authentication, not just because it’s weak, but it also takes about 34 seconds for every single call to go through, which is more money and more cost associated with trying to identify the customer.

So WebAuthN, factors WebAuthN uses, number one is possession. But it is not possession of a SIM card, it is possession of the physical hardware of your smartphone device. And therefore, if I change the SIM, or if I divert the message, the transaction will not be authenticated. Why? Because you physically have to have this piece of metal in your hand, using cryptography, it is strongly establishing the device and that cannot be transferred to anyone else. OK? So that’s the first thing.

Secondly, it is using the biometric on your device. So WebAuthN does not create a new biometric. It is using the biometric that you have set up to unlock your device probably about 100 times a day on the average person. The important thing about that is that that biometric is very secure, because it is not transferred over the internet, it is only ever retained on the device. And it is secondly, it’s something that you’re very familiar with using. So from a customer experience point of view, if I ask someone to unlock their device, then they know how to do it, because they’re very practiced at it, they do it every day, hundreds of times.

So the WebAuthN standard uses number one, very, very strong, immutable possession of the device that is much better than other standards, such as SMS. And then secondly, it layers on top of that, to get at that possession factor the biometric from the device. Really, it is a very, very strong standard compared to other alternatives. It’s not infallible. One of the key things that we always state is that if you’re using WebAuthN, then you should make sure that the customer is not sharing their device. So these days, if you use Touch ID within a banking app, they will put a disclaimer in there to say “If you share your device, please do not use Touch ID or face ID to authenticate transactions. You’re guarding against other people in your household using their fingerprint or their face ID to unlock your device and approve transactions.” So that’s one thing that you need to think about.

But then when you compare that wrinkle to the other wrinkles within the other alternatives, that is a very, very strong standard. And if you need to layer on top other additional security steps for high-risk transactions, then you can do that.

Oscar: Two strong factors you mentioned. First, the possession but a strong possession. Here, I would like to ask you something. So, it has to be the device and exactly the device that is registered. But if you change the SIM card that’s not valid, or you can change the SIM card?

Olly: You can change the SIM card.

Oscar: OK.

Olly: It doesn’t matter. It is the physical piece of metal by itself. So there is a part of your device called the Secure Enclave, which is where cryptographic elements are stored, and the key is stored within that enclave, and that is resolved when the customer unlocks their device with biometrics to then establish possession of the device. Is this the device that was registered to Olly’s account?

Oscar: OK, thank you for clarifying that. And also the biometrics that can be used depend on the device, correct? Some devices have the fingerprint. So what are the options, fingerprint, face recognition?

Olly: It’s really whatever is available on the device. But I mean, these days, I’m an Android user but iOS devices are all face ID now I think. My device is older Android Moto device that uses touch ID, I think there is a face ID option as well. But it can use either – whatever is available on the phone device.

Oscar: OK, I would like to also hear about how easy it is to use, as far as you have described seems to be from the end user perspective, pretty simple. But also, I’d like to know how is for the more technical who would need to deploy this or considering to deploy this? So what would you say – how easy is it to use and deploy?

Olly: You’re right, at a customer level. I mean, I think the way to think about this is the customer doesn’t need to understand how the technology works. The customer is simply prompted and asked, do they wish to enable biometrics to authenticate to the brand whether that’s Vodafone, Lloyds Bank, Klarna, whoever it might be, OK, you’re just asked, “Do you want to unlock your phone to authenticate this transaction?” So it’s very easy, and the customer uses it hundreds of times a day already.

Where the complexity exists is in the orchestration, really, because remember at the front end, it’s a standards-based technology. So it’s not our technology that’s running the frontend, it is Apple’s or Google’s technology. At the backend, there is a little bit more complexity in orchestrating the authentication. And that’s where the benefit of vendors like Trusona come in, because they have plenty of experience of deploying these types of solutions time and time again.

So what we need to do is, for example, first of all, make sure that you’ve got an appropriate enrolment journey so that you’ve established trust with that customer. And then once that’s done, our backend will communicate typically with the brand’s CRM or identity and access management platform to then send and receive messages when authentication events are presented or required.

The other thing to think about is that because you are dealing with multiple OSs, then there are different ways and different devices and different operating systems need to step through that authentication process. And indeed, some of the devices we talked about earlier will not yet be compliant so you need to be able to provide a soft landing for those rather than just say, “No, you can’t log in.” Being able to offer a migration path for those older devices to make sure that you’re offering the right authentication options so if they can’t use WebAuthN then maybe they need to stick with passwords and usernames until the time that they upgrade to that device. And then you can put the offer in place.

So it’s a combination of orchestration and I think good design and planning, and the detail that sits around that to make this all come together.

Oscar: Yes. For instance, as you mentioned, for some type of devices, the service is not supported, you have the good user interface that tells you what are the other options available. One qualification question for you, Trusona is a piece of software that would be installed in the backend of the service provider, along with the CIAM, you mentioned, it’s not a managed service, correct? It’s software that is installed?

Olly: It’s software-as-a-service, we run all of our services on Amazon Web Services in different clouds for different regions. And we provide, all of the technology is served up through that cloud service. So there’s no need for the customer to establish their own cloud, or there’s no software that needs to be deployed locally by the brand.

So one of the questions that pops up when we explain that is, well, what about the personally identifiable information that you hold in your cloud? What about considerations around security and so forth? Well, the answer to that is we do not hold any personally identifiable information. Our service communicates with the identity and access management platform that will hold all of the biographic personally identifiable information. What we are using is, we hold in our cloud public keys that relate to the private key that sits on the device that is resolved. And we then use that as an identifier and we pass that between the two systems. So never at any point do we hold personally identifiable information.

Of course, the biometric that’s being used to unlock the devices in the OS, we’d never see that, we just get a result code from the OS to say, whether that has been passed or failed. OK? So our cloud really, if anybody wanted to hack into it, and spent the time they’d be really disappointed by what they got. Because there would just be a bunch of public keys that are proprietary to our own system and are completely useless to any third party.

Oscar: OK, great clarification about that. It’s a software-as-a-service, but you don’t hold any or store any personal data of the users.

Olly: Yeah, I think when people start thinking about identity and authentication, immediately, they think, “Oh, there’s going to be a data store somewhere of valuable data and that’s a risk to the business.” And I think that’s one of the things that FIDO and WebAuthN have really thought through in the backend. And vendors like ourselves, Trusona, have thought through in terms of the orchestration, how we pull that together. And that’s probably another real call out to FIDO and WebAuthN is – the security model and in that respect is very, very strong. They’re not creating another honeypot of information that can be hacked by the criminals.

Oscar: And you don’t need to be an expert to deploy WebAuthN on the backend side.

Olly: Yes. I mean, I think it’s the same as, do you need to be an expert to build an identity and access management platform? Well, yes, of course. And do you need to be an expert to build a WebAuthN based passwordless authentication service? And the answer is, of course, we built one. So anybody could do but it’s taken us five years to get it as good as it is today. And that’s a lot of results, a lot of time getting it right. So yeah, you do need to be an expert to do this well, and I think that’s where traditionally vendors in this marketplace, add value on that with Trusona, then we can really help with the leader in that space.

Oscar: OK, excellent. I will have a final question for you. Olly, thanks a lot for bringing light about WebAuthN, it’s very, very interesting, very enlightening what we’re hearing. For all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?

Olly: So I would say we’re probably going to have different types of people listening to this podcast, but many will be identity experts, and potentially their costs sit within a cost centre somewhere within the business. That’s the reality. My one piece of advice would be understand the true costs of your authentication services. Because rather than being a cost centre, you can actually deliver strong return on investment back on improving authentication back to the marketing team, the customer services team, and to your finance director. And I can tell you finance people love it when money can be saved.

And so have a look at those hard costs. So for example, we talked about customer services, most of the organisation, large customer service operations that I talk to are- all of them are seeking to drive down the cost of service, but they don’t want to do it at the expense of customer satisfaction. And as we talked about earlier, one of the big obstacles to completing self-service is the authentication processes.

For example, something like on average about 11% of calls come into contact centres, because people can’t get what they want online. So if you could help them to get what they want, by removing these barriers, like SMS, OTP, and passwords and presenting something that’s much easier to them, then suddenly, you can start to drive down the call flow into the customer service team.

Secondly, have a look to see their existing process. If they’re using knowledge-based authentication, they’re probably spending upwards of a minute trying to identify the customer. And if you provided a service that enabled them to do it with just a touch of the smartphone, then that would save 40 seconds on every single call. So customer service is one area.

And the other area that we’ve talked about is SMS, go and ask, how much are we paying for these messages? What’s the total cost of that? And what would happen if we could take out 50% of that, and make the customer happier in the process? And then go and tell the salespeople that they will get more sales because customers will be enabled more easily to be able to complete and get what they want.

And so that’s where I would start is just do a cost analysis. But think beyond the fraud and identity team and go and ask customer services about the cost of knowledge-based authentication, customer services about how many calls come in that are diverted because people can’t log in. Go and get that. And then go and ask the finance director, how much do you pay every year on SMS? And are you interested in having a discussion as to how we could reduce that by 50%? I think they’d really like it.

Oscar: Indeed. Again, thanks a lot, Olly for all this. Please let us know how people can get in touch with you or follow the conversation with you.

Olly: Well, first of all, my email address is [email protected]. If anybody wants to give me a call, I’m always happy to chat as well, that’s +44 7823 538 872. But as a good starting point is maybe pop on to our website trusona.com or if you’d like you can look me up on LinkedIn and send me a LinkedIn message. It’s Olly, O-L-LY Brough, B-R-O-U-G-H. If you search that Trusona, I’ll pop up and drop me a message and we’d love to talk.

Oscar: Perfect. Again, thanks a lot Olly for joining us today and all the best.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]