KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Join experts from KuppingerCole Analysts and SecureAuth as they discuss why not all MFA solutions offer the same level of protection, and how organizations can improve their security posture and user experience by adopting a different approach that combines MFA with risk-based Passwordless Authentication.
Alejandro Leal, Research Analyst at KuppingerCole Analysts, will explore some of the problems with legacy MFA solutions and how a passwordless solution can improve usability and security. He will also explain some common passwordless features such as device trust and risk-based authentication.
Nawshad Hoossanbuksh, Senior Product Manager at SecureAuth will explain how adopting a passwordless continuous authentication approach can protect against phishing, brute-force, and MFA by-pass attacks such as MFA fatigue or MA bombing. He will also give an overview of SecureAuth’s Arculix passwordless continuous authentication solution.
Join experts from KuppingerCole Analysts and SecureAuth as they discuss why not all MFA solutions offer the same level of protection, and how organizations can improve their security posture and user experience by adopting a different approach that combines MFA with risk-based Passwordless Authentication.
Alejandro Leal, Research Analyst at KuppingerCole Analysts, will explore some of the problems with legacy MFA solutions and how a passwordless solution can improve usability and security. He will also explain some common passwordless features such as device trust and risk-based authentication.
Nawshad Hoossanbuksh, Senior Product Manager at SecureAuth will explain how adopting a passwordless continuous authentication approach can protect against phishing, brute-force, and MFA by-pass attacks such as MFA fatigue or MA bombing. He will also give an overview of SecureAuth’s Arculix passwordless continuous authentication solution.
Hi, welcome to the webinar, take Invisible MFA to the next level with Passwordless continuous authentication. My name is Alejandro Leal. I'm a research Analyst here at Coco, and today I'll be joined by Noelle. How are you? Hey Alejandro, how are you?
I'm good, thank you. Thank you for, you know, having me today and I look forward to our session.
Great, thanks. So first I will begin my part of the webinar and then no will conduct the second part. So let's start with the first time important information regarding audio control. All of you are muted, so there's no need to mute or unmute yourself. Polls. We're gonna be conducting a couple poll questions, so I encourage you all to participate q and a. We will have a Q and A session in the last 20 minutes of the webinar, so you can enter questions at any time by using the go to webinar control panel.
And regarding the recording and the slides, we will be sharing the slides in the coming days and the recording will be available as well. So here's the agenda. Like I said, I'll begin the webinar by introducing the concept of past authentication and then will go more in depth into the topic. And then at the end we'll have a Q and A session. So here's the first poll question. I'm gonna give you guys 30 seconds. And the question is, has your organization suffered an attack that was caused by bridge passwords? Yes or no?
Okay, we can proceed. Now. Here are some of the market drivers of the password certification space. With the COVID 19 pandemic and the shift to remote and hybrid work, credential based attacks and account account takeover fraud cases have been on the rise. Cyber criminals continue to come up with new ways to obtain users' credentials and access private information. Furthermore, the development of open standards such as 5 0 2 and webo, together with the Biden administration's memorandum on phishing resistance MFA are likely to contribute to further adoption of passport solutions.
And in recent months, we've seen all, all over the news, the introduction of PAs keys by Microsoft, Google, and Apple. And these developments are also going to contribute to more adoption. And like I said, the shift to remote and hybrid work and the growth of e-commerce are likely to increase the demand for more modern authentication systems.
Of course, there are more market drivers, but here at COPE Coal, we highlight these specific market drivers that we have observed in our research. So I think the question is what's wrong with passwords? I think we all know here that passwords are problematic, they are inconvenient and insecure.
But if we, you know, look back at the history of passwords, if we trace back the origins, we will realize that passwords were not created to provide security. The password is remnant of an error before hacking and password based attacks became a widespread problem. Here we have five common issues involving passwords. Number one, there's research out there that points out that most data breaches involve the use of stolen credentials and compromised passwords. For many organizations, password resets are very costly and time consuming. Another major problem is password reuse.
Many customers and employees they often use and reuse the same password across multiple systems and applications, which is perhaps not the best idea when it comes to security. Also, we, we see friction adding MFA alongside passwords, results in poor user experience. I know that Nohad will talk more about MFA later on. And last but not least, legacy solutions, legacy M three solutions still rely on a password and they can easily be bypassed by attackers. In the next slide, we see some of the most common attacks.
Phishing, credentialed, staffing, man in the middle attacks, BR force attacks and steam swapping at Kuppinger Coal. We believe that organization systems must cease supporting authentication methods that are prone to password based attacks. Something that we also like to talk about is account recovery procedures. For example, when a user loses a device, a phone or a computer, or simply the user replaces the phone on the computer with a new one. Solutions must make it easy for users to recover their accounts.
Users should not go to a store or spend 20 minutes waiting for customer support, but on the contrary, it should be very easy for them to record their account. In addition to convenience, it also needs to be secure for them to record their account, and that's why solutions must provide methods that are not prone to password based attacks. So what's the alternative? The alternative is passwordless authentication. And if implemented successfully, a password solution will increase both security and convenience.
In a nutshell, passwordless authentication is a term used to describe a set of identity verification solutions that remove the password from the authentication flow and from the recovery process as well. These solutions can overcome the notion of balancing security with convenience and instead adopt a win-win approach, which involves increasing both security and convenience. So what are the use cases? During my research on authentication, I believe that the most common use cases are workforce slash enterprise and consumer use cases. But there are also use cases for citizen and partners.
When it comes to enterprise, it seems like security is the main priority. While for consumer use cases, user experience is a main focus.
However, leveraging both at the same time is essential. Some solutions in the market provide nearly every feature one would expect.
However, there are some highly innovative and small companies that are more specialized and provide different technical capabilities. For example, some of them choose to focus on device trust or on risk based authentication, or some of them prefer to target different industries like the small and medium enterprise market. So in on this slide, we see some of the main capabilities of task less authentication solutions. Of course there there are different flavors and different views exist on password authentication solutions. But essentially there are two elements that are required.
Number one, no password is required for user authentication, but a strong authentication is performed. Number two, no password or password hash is traveling or the network on the right side. We see in these small boxes some of the capabilities that we observe in password authentication solutions.
They should support a broad range of authenticators, strong authentication risk, adaptive contact space, and continuous authentication, adapt, adaptive and step up authentication support for legacy application and services is an important one for, especially for organizations that continue to rely on legacy systems. Fast solutions must make it easy for them to migrate from an traditional system to a more modern authentication system.
Passwordless solutions should also enable strong cryptographic approaches, integration with third-party authenticators device trust on multiple devices, support for all major identity federation standards and a comprehensive set of APIs. Of course there are more capabilities, but we like to highlight these. So what's the difference between legacy MFA versus invisible mfa? Traditional MFA solutions back in the days were once hailed as the ultimate solution that will basically overcome the issue of passwords.
However, the problem is that some traditional MFA solutions, they continue to rely on a password as the first factor or as the backup factor. In addition, MFA on top of passwords only increases the inconvenience and it often results in poor user experience. While a password based MFA system may once have been enough, its liability in today's threat landscape has been diminished. Passwordless MFA, on the other hand, should be able to eliminate the reliance on passwords or other easily feasible factors. Device trust is an essential component of passwordless authentication solutions.
Essentially, it is the process of analyzing whether a device should be trusted or not. It requires solutions to process the ability to verify the user behind the device, and importantly to continuously validate the security poster of the device to make sure that the correct and authorized user is the one who will get access to the resources and information. Having strong device trust policies in place gives organizations the confidence to control access to critical resources. Another essential component is risk-based adaptive authentication.
The goal of risk-based adaptive authentication is to provide the appropriate risk mitigation assurance level for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. When it comes to risk based adaptive authentication, there are different attributes that are analyzed, such as the IP address, the geolocation of the device, or the geo velocity, the device type. There are lots of these attributes and this is one of the main components of passwordless authentication solutions.
However, we all know that there are obstacles that many of the passwordless vendors are facing. Many customers and organizations they don't know how to start. And like I said before, especially those that continue to rely on legacy systems, there's also a problem when it comes to business and IT alignment. Sometimes business leaders might not be very tech savvy and they don't know what the organization truly needs. There's also the old school mentality, which is similar to my previous point. Some people perhaps do not understand what passwordless truly means.
So vendors need to deliver the right message and to be more straightforward when it comes to how a password certification solution can benefit the organization. There's also some issues with deployment costs with selecting the right product and with licensing and subscription costs. So how to move forward the right path for this authentication must meet the unique requirements and needs of organizations regarding security, user experience and technology.
It is important to identify your organization's needs to then follow a serial trust security plan, then select the right path release solution, and then choose the appropriate deployment model. It's not easy to do this, but one needs to understand what your organization needs in order to select the appropriate path release certification solution. During our research at Copier call, we recently published a leadership compass on pass list authentication. It was published in October of last year, and we used this criteria to evaluate the, I do not remember, I think 25, 26 vendors participated.
And D seven criteria, this criteria was used to rate the different vendors a can. Recovery is one of them, and like I said in one of my first lights, solutions must make it easy for end users to securely recover access. Then we also looked at architecture and deployment, authenticator support, APIs, device trust, IM support and scalability. Now we have the second poll question and the question is, what is the biggest challenge your customers face today? Deployment costs, the so-called old school mentality, selecting the right product or migration from legacy systems.
I will give you approximately 30 seconds and then we can move forward. Okay, now I will hand it over to Han and you will grow more in detail into the topic. Thank you, Alejandro. Just to kind of continue what Alejandro was saying about, you know, password desk authentication and, and, and the, you know, the issue that comes with, with password and MFA in general. So I would like to, you know, introduce a little bit the concept of invisible m f A to you today.
But first of all, let's just kind of a quick question so we can discuss a little bit later, you know, what's the, what, what, what is it that is common between, you know, KAINO security and M mfa, right? So let's think about that and then, you know, later in the presentation we'll come back and we'll, we'll try to kind of talk a little bit about the, the the different things that we have in common between these two, you know, object, right? So first of all, traditional MFA come with a set of challenges, right?
So we have today mfa, when you get an MFA on your phone, you don't usually know why you get this mfa. What, what all the, you know, the, the application that you're trying to access, whether it's a legitimate MFA or maybe something that is just popping up on your phone or maybe on your, on your browser. So it context information is key, right?
So, and unfortunately traditional MFA do not always bring enough context to the end user. It's also difficult to deploy. And as a result, you know, it does not usually gain enough use adoption, right? The other issue we see with MFA is the lack of user convenience.com with it, right? So because mfa, the, the main, the main priority of MFA is obviously to increase security, but with that, usually you kind of lose a little bit of user convenience as well.
The other thing is with, you know, with different devices, different channels that we use today to access to resources, like, you know, you connect to your desktop, then you open your browser and then you access your application. Usually all these channels are not really, you know, aligned together, so they're disjointed and you may be asked to do MFA multiple times depending on the channel you are using to access the resource.
And, and last but not least, today we talk a lot about cybersecurity insurance that usually come with a, you know, significant cost and, you know, it's, it's not something that you get without being, you know, secure enough in a certain way. So if you use, for example, just T O T P, you may not even be able to get, you know, a proper cyber security insurance. Fortunately, there's a new approach to this, to these challenges.
You, you, you know, we, we can provide a, a, a, a good use experience without compromising security and how do we do that? So let's, let's first of all kind of extend a bit what Alejandro was saying in terms of difference between invisible and and traditional mfa.
So with, with traditional mfa, you know, you get an MFA prompt every time you authenticate, right? It's kind of very binary. So if you meet a certain condition, then if your policy mandate a, you know, a step up authentication, then you have to, to do that step up authentication, you know, as long as you satisfy the condition.
But with, in, with invisible mfa, we can decrease that friction. We can only ask for the user to explicitly perform MFA when there is a significant risk. So that's a big difference between traditional mfa. The other one is obviously with invisible mfa, we can, first of all, we can, you know, provide a passwordless authentication and at the same time we can leverage more advanced form of mfa. For example, we can use, you know, biometric authenticator, we can use behavioral modeling with machine learning and, and, and we can consolidate multiple signal from, from your devices, from your browser.
And this is more, you know, this provided more, you know, complete 360 degrees view of really what's you know of, of the security hygiene of, of, of the access request as opposed to traditional MFA where it's really like, you know, you, you get to get a, a, a push notification or you get an MFA request based on just the authentication request that you are doing at that specific moment in time, right?
The other thing with invisible MFA is, you know, like I said previously, you know, you can obviously get users contacts, you take users contacts into account, and you don't have to do that just during authentication. You can do it before you authenticate to your application. So when you just access maybe the login page, or maybe if you have, for example, an agent on your devices, that agent can feed information into, into the idp, and then you can start assessing the security posture of the user.
And obviously during authentication, you get additional context, but also post authentication and authorization. Your, your device or your, your phone actually can even continuously send, you know, contextual information about maybe your IP address, your dual localization, or whether you disable maybe your firewall on your, on your device.
So all these contextual information can be consolidated continuously by the, by the I D p, by the authentication service as opposed to traditional MFA where, you know, you only do that, you know, that step of authentication at a specific moment in time, and it usually happen during authentication, not before or after authorization. Now, what, what is invisible?
M F E, right? There are different layers that we use to kind of, you know, achieve this experience. So the first is obviously we need to consolidate, you know, the processors into a, a single centralized, you know, service. So basically we don't want to have different security policy based on the channels that you access, right?
So it, it has to be very, you know, centralized. So it's easy for organization to, to manage, but it's also, you know, a, a, a consistent user experience from, from, from an end user perspective. Obviously I mentioned, you know, risk engine and, and device trust, which are kind of, you know, the, the, you know, at the center of how you can achieve this because it's important to, to not just do conditional based authentication, because with contextual information you can, I mean, you can have more than just binary decision, right?
So you can look at trends, you can look at, you know, abnormal behavior based on what your peers are doing and so on and so forth. So with all this centralized into one system, then you can stop start adding, you know, the MFA layer. So you obviously you would want to use hacker proof, invisible mfa, you don't necessarily want to keep using password. So if you can eliminate password, that's, that's even better. And obviously from an administration perspective, you know, you have one single place where you can manage your policies and, and everything.
And like I said, initially, the risk engine is really at the center of this, right? So it's important to have a risk engine that can provide the most accurate and realtime risk call so that the, you know, the, the policy decision point can really decide whether there's a need to step up your authentication or, or not.
And if, if not, then maybe the user is just reassess and then, you know, transparency, the user is allowed to access to, you know, a a any upcoming application, for example. And then device trust, Alejandro mentioned also the, the importance of having device trust.
So, you know, just reinforcing that here, you know, it's important as part of, you know, your Zoom trust architecture to have, you know, you know, a set, a set of, you know, different information feeding from, from, from, from different sources and device is, is, is a critical part of, of your user journey. So it's important to have that truth of trust at the device level really at the beginning of your journey. And then the final piece I would say is really from an end user experience perspective. So you don't want your end user to have to MFA multiple times.
So if you are accessing, you know, an, an, an application or you're just connecting to your workstation, you'll mark your windows or even a VDI virtualized workstation if you can have, you know, a universal authentication method. So you always sign in with maybe your phone or maybe your, your, your u USB stick or, or where both end or pasky as we can do today with, you know, with the support from Apple and, and, and, and, and Windows, and then Google as well. So you can, you can use, you can leverage this modern authentication, but at the same time, secure authentication method.
And this will provide obvious, obviously the best user experience to your, to your end user, but also to your, you know, customer and partners and, and, and so on. So let's take a look at, you know, the, the, the, the usual, the traditional authentication, which we've been using, you know, since I know 20 years now. So always been, you know, we have always been requested to, you know, use the username and the password.
Obviously the password comes with multiple challenges, talk about earlier and, you know, the password complexity, the need to change your password every now and then the inconsistency in terms of password policy between different application that you access. Obviously this, you know, bring, you know, a very, a Porwal user experience. And obviously, you know, we tend to work around it as, as, as much as we can, and obviously that bring the security hygiene to a, you know, to a lower level.
So how do we to kind of transform that user experience into a more modern and, and a risk-based continuous authentication to, like I said, you know, on the device we can use a, maybe an agent that we deploy and that agent will allow us to bring the root of trust at the device device at the beginning of the journey. And then that agent will also feed information about the security posture of the device, the, you know, the screen resolution, the IP address, you know, if someone, for example, managed to hijack your session, and then obviously the device fingerprint will be different.
So that can be detected, right? Because this contextual information about your devices, about your IP address and so on and so forth, can be automatically detected, detected by a risk engine based on, you know, either conditional base or machine learning based model as well. And then this obviously can happen before authentication, right? So all this information can fit continuously before you access any application during authentication. You can sign in as you would do maybe with your user email password, but you know, if possible using a passwordless method.
And then most importantly, post authentication, usually you, you, you, you know, there's the, the IDP is not usually involved, but if you somehow manage to feed information to the IDP about things that can, you know, about any, you know, animal or, you know, something has changed from, from a, from a security hygiene like the, the vulnerable has been disabled, then the IDP should be able to, you know, trigger a step of authentication maybe to your, on your phone to make sure that the user session, for example, hasn't been hijacked.
Or if the application mandate or the policy mandate that, you know, you have your, maybe your firewall enable all the time, then maybe we can eventually trigger maybe a lockdown or a remote session lock from, I mean, on, on the device itself. So this continuous authentication, you know, allows, you know, organization ready to make sure that, you know, you just don't control at the gate, but you kind of continuously assess the, the, the, the response of the user.
And then this slide kind of show us a little bit the difference, you know, in terms of, of friction between traditional MFA and, and invisible mfa, more modern form of, of authentication. Traditionally, you know, you would have to authenticate multiple times a day, you know, based on the application or your workstation, your V P N, maybe your virtual desktop, and then if you access some SaaS application, maybe you have s sso, maybe you don't.
And then, you know, at the end of the day, the end user is being, you know, continuously asked to, you know, to do a, a step up authentication or maybe to enter, enter his username and eventually his password. Obviously this is not great user, this is not the best user experience.
So with, you know, invisible mfa, you can streamline all these, you know, authentication into just one single channel, and then you can access multiple resources with minimum friction. So yeah, so just just to recap a little bit, the benefit of invisible mfa, so obviously from a user experience is it's, it's critical. It also allow organization to meet, you know, their zero trust, you know, architecture. And obviously from a cybersecurity compliance perspective, it's also critical.
It's also a way to secure on top of maybe your M D M solution and, you know, and, and other, other tools that you have in place in your security stack. Then with a invisible m a and you can have a set of control on the device level as well by bringing that trust to the, to the, to, to the endpoints also. And obviously the, you know, MFA is something which we need. So it's important that, you know, the end user feel that there's a real benefit of using mfa. It's not just, you know, a friction that is being you, you know, added to their user, you know, journey.
So it's important that, you know, we, we make sure we have a good MFA adoption. And then obviously from a cost perspective, it's also very critical because, you know, when you save time without having to do MFA all the time, obviously it, it allows you to be more productive and obviously you, you spend more time doing, you know, what you are supposed to do rather than just doing friction with MFA prompt all the time.
And this is just an example of, you know, just to show how, you know, from a cost perspective, you know, and, and, and, and in terms of user experience, you know, the, the, the benefit that you get, right? So what we call the benefit tri trifecta, which is basically user experience, cost saving, and at the same time strengthening the security. So if you take for example, the company with let's say 30,000 users, if you have roughly 12, 15 prompt per day, then you get approximately around four, 400, 500,000 prompt a day.
Now, if you can reduce that prompt to at least four times in a day, then obviously, you know, you can save time, but at the same time, you can save money as well, your company will save money, right? So in, in the case of 30,000 users with the daily rate and so on, you obviously the figures will differ, but approximately we can save around 20, 20 to 30,000 million dollar or, or, you know, euros if you want in Europe.
And, and that that's something which is, which is not, which is significant, right? It's, it's very important now in terms of, of how do we get there, right? So obviously you can, you can go through every single step starting from, you know, password, username and password, the traditional form of authentication, and then, you know, going one step at a time or you can just leapfrog, you know, your way through and then use con start using password lesson, continuous authentication straightaway, right?
Because obviously you don't want to just, you know, keep on trying to, you know, to, to kind of, you know, be, you want to be behind the curve all the time. You want to make sure to provide the best user experience to, to your employees because, you know, it's also important nowadays to make sure the, the, the employees and the customers have the best and the great test when it comes to, you know, to authentication experience.
Kind of, you know what, to come back to the initial slide I had about, you know, caino and mfa. So basically, you know, if you go to a cast, you don't want to be always, you know, you don't want the security to always check on and see whether you are, you know, compliant or you are doing anything that you shouldn't be doing.
So, you know, security is important in Kaino as you can imagine. So it's important that the users are happy and they can, you know, enjoy their whatever they, they, they, they they are doing in, in, in Kaino. So it's important that, you know, we have that, you know, security, but at the same time, we don't want to give the badges experience to, to the end user.
So, and, and this is, this is what we want from a authentication perspective as well. So we don't want the end user to feel that, you know, security is actually a pain from an, from an, from an end user perspective.
You know, it has to be, it has to be frictionless and we only want to step up the authentication when there's a need to, to do so, rather than doing it continuously and conditionally based on, you know, spine decision, whether you meet something or you don't meet it, then, then, you know, you have m FFA prompt, you know, all the time. So this is, this is just to kind of, you know, to show a little bit the, the, the, you know, the, the, the, the, the importance of having, you know, a user, a good user experience without compromising security.
And, and last, before I kind of, you know, hand over back to Alejandro, I just wanted to kind of share this, your tool that we have on our website, which kind of gave you an indication of how much saving you can do from a Yeah. You know, return on investment perspective because with this tool, you can, you can, you can, yeah, set the number of users that you have, you know, and the number of, you know, password reset call that your help desk has on a daily basis.
And then this will give you an estimated cost of, you know, how much saving you can do just by removing some friction, you know, getting maybe read of password whenever possible, but at the same time without compromising security and making the end user experience even better than what it is most probably Today. Thank you. Thank you Al, for sharing your thoughts.
Before we proceed with the q and a session, I'll just, I would like to share some information from, so we have this protocol case open select, which helps you optimize your decision making process and select the right password solution that is for your own organization. We had the first version of this product was on certification, and I think the second version is on Pam, privileged access management, and I'm pretty sure it was already released, so check it out if you are interested. Then we have coming up the European Identity and Cloud conference taking place next month in Berlin.
So I look forward to meeting some of you hopefully. And here's some related research that we do at Kuppinger call related on, on pass password authentication. Like I said, there was a leadership compass that was published in October of last year. We'll be making an update in October of this year. So I expect many more vendors to participate. And finally, some of our services, and I think it's time now to, to the q and a. And from what I can tell, I believe that most questions are for you. So you ready? Yeah. Okay. The first question says, does IQ links store biometric information?
No, we don't, we don't store biometric information. So what we do is, you know, so when, when, when we do biometric authentication, so some of the hash can be sent over, but we won't store an information, you know, in terms of biometric, because usually, especially when you use Fido, you don't really, you know, send the biometric information to the server. Now we do have some hashes, which we store, which is essentially for, for example, the browser fingerprint and things like that.
But, but not regarding biometric, Is that a question that you often face when dealing with your customers? Yes.
I mean, obviously security is very important at price of the data is critical as well. So we has a very kind of strong policy in, in the product to not store any information we don't need, even when we do authentication, for example, we will rely on the source of truth, whatever possible.
So we will have, for example, we can have an agent that we deploy on, on, you know, on premise to connect maybe to your active directory or your, and then if we need to do authorization, we will just simply check on the fly, whether the user belong to a certain group or if the u if the user is going through a password authentication, then the password will be checked, you know, on the fly against active directory. There is no hash or anything being stored on our side.
So this is, that's again, it's all about making sure we don't store information we don't really need and, and kind of, you know, remove any, any challenges that come with synchronization and things like that. Right. Okay. Let's look at the next question. This user is asking, does AX Pro, does the AX product does AX product false negatives?
Oh yeah, maybe does OCUL produce false negative? I'm guessing.
So we, so what, well first of all, let's kind of try to understand what we mean or what usually the industry mean by false positive and false negative. So, false negative, usually by false negative we, we understand it as the following. So basically if a user is trying to sign in, it's the legitimate user, but we feel there's a need for the user to step up, right? So we can eventually ask the user to be a step up authentication when we actually have maybe enough information to, to make sure the user is really the, the legitimate user.
So in general term, from a security standpoint, it's not a bad thing to have false negative, right? But obviously we don't want friction. So as far as I remember, you know, I think we did some, some benchmarking before when we have, you know, customers testing our product against other product, and they, the, the, the data that we have is over, I mean, for a million of authentication requests, you can eventually have like a dozen 10 to 12 authentication re prompt, which will be recorded as a false negative, right?
So this is kind of, you know, friction that may eventually have been removed, but the system somehow ask you to do that. So that's kind of very, you know, very minimum if you want right over a million, if you have 10, 10 requests, it's, it's, it's, it's probably not, not a big deal for the end user experience perspective.
However, the other, on the flip side, the first positive is the one which we don't want, right? That's essentially when a, you know, a, a, a threat actor potentially managed to get through without the system detecting it, right? That's kind of the, the thing which we don't want. And our system has been, you know, tested, you know, extensively, and we are confident to say we don't let any force positive to, to, to go through.
So basically whenever there's a, an abnormal situation, like a change of IP address or a session hijacking or someone doing an impossible travel, these can be detected by the system and you know, the, either you know, the user is being rejected or maybe they will be a step of authentication just to kind of validate the user identity before giving access to the application. Okay, that makes sense. Thank you for explaining the, and there are two more questions for you. How does QX work with other single sign-on providers?
So, yeah, that's a good question. Question actually, we don't have to, we can coexist with other IDPs, right?
So if you, if you have an existing IDP in place that maybe perform authentication, maybe, you know, some MFA authentication as well. So if you want to add cul on top, you can do that. So we can just plug onto existing IDP just to perform the risk assessment and the, and the MFA service. But if you want to rip and replace, you know, your existing IDP and you want something to be different or more, maybe more model with, you know, different features and so on, that's something which you can do as well.
So we kind of, we, we kind of, you know, perform both the role of a full-fledged idp, but also, you know, just an MFA service sitting on top of your existing idp. Okay. There's actually another question that user is asking. Are we ever going to get rid of passwords? I can take that one if you, if you want.
Yeah, well, I think it's gonna be difficult to do that, but I think with the trend that we observe with Passwordless solutions, we're slowly going to make them less important, but in the long term, I feel like there's gonna be a user in some corner of the world that is still gonna be using passwords. And if we see some of the, let's say social media platforms that still continue to use usernames and passwords, that will, that will need to change for more users to accept passwordless solutions and to eliminate passwords. But what do you think?
No, I think, I think you're absolutely right. It's, it's, it's, it's kind of, it's been there for a while and we know, you know, some legal system will probably still require you to, to use your password, right?
So maybe, you know, they, they cannot be modernized. So they've been sitting there and, and, and they work and, and you know, don't want to touch them, right?
It's, it's working, it's it, you don't want to touch them. So you will probably still have password, you know, especially for on-prem application. But I think we've, we've SAS with, with, with adoption of cloud and, and with SaaS application, you know, we have federation in place and you know, IDPs are becoming very critical to your security stack. So I think, you know, as we go forward, password less authentication would become more and more significant, more and more relevant because also of the user experience that come with it, right? So we know that password is not always secure.
You know, we've tried passphrase, but it's not, it's not, it's not convenient as well, you know, it, it's, and, and different, it's not always consistent as well, right? So every password, every application has a different password policy, so you end up with multiple password anyway. You cannot have one password that fit every single password policy.
So yeah, so that's kind of, so it, it, it is going to be there unfortunately, but whenever possible, yeah, I think we should probably start considering, you know, moving away from password, especially in SAS word. Absolutely. I think people have talked about getting rid of passwords for decades now, so I think we're in the right track. Exactly. Last question for you. This user is asking, we already use another phone MFA app. Can you just use that? Yes and no be so yes, because we support any form of T OTP in oic.
So if you have, you know, your own MFA application, you know you don't want to download a separate application, then obviously we support that, that's fine. Now, the benefit of our MFA application on, on your, on the mobile is, it is also, it allows the system to get information from that device. So it is also it send signal continuously to the, to the Oculus platform.
And, and so oly can then de decide and detect actually whether the phone is, for example, far away from your desktop, right? So if your phone is miles away from your desktop, then obviously we know something is wrong, or at least we can double check if it is really the end user, you know, if your, the other thing which we can do as well is, you know, with device trust, we can use the phone as a, as a command, as as, as an, as an agent.
So basically if we want to lock your, if you want to lock your device, you can use that, you can use your phone application to just lock remotely your, your device. So let's say you went out for a coffee at the office and you are not sure whether you lock your device before going out. So you can just simply take your phone if the session is open, you will see it on your phone, and then you can just simply remote lock EIF device while having a, a coffee with your colleagues.
So yeah, it's, it's, yeah, there are some additional features that come with our mobile application. Okay. I believe that was the last question.
Well, thank you Nosha for joining joining me today. It was a very fruitful discussion. Anything you would like to add?
No, I mean that was really, you know, great to have, you know, to be on, on, on this, on, on, on this call today. I hope you know the attendees, you know, you know, learn something or at least you know, it, it, it's helpful in, in some ways or, or ship or form and maybe, you know, if you need intentional information, you can always go to cq of.com.
We have, you know, a couple of other, you know, documentation about, you know, what we do and how we can help the organization, maybe meet the, your zero trust architecture and, and from a user experience perspective as well, you know, things that we do which can provide more modern, you know, user journey for employees, staff, but also for customers and, and as well. So yeah, everything is on the website. Feel free to go and have a look.
But yeah, thank you. Thank you for, for having me. That was really great. Thank you for sharing your perspective. Goodbye. Thank you. Bye.