It’s Not About the Password

Cameron D’Ambrosi [00:00:03] Welcome everyone to State of Identity. I’m your host, Cameron Ambrosi. Joining me this week is Blair Crawford, CEO of Daltrey. Blair, welcome back to State of Identity.

Blair Crawford [00:00:15] Fantastic to be back. Looking forward to having a chat.

Cameron D’Ambrosi [00:00:19] Yeah. So you know. Long time friend of the podcast and repeat guest so apologies to the long time heads who you know. No Blair recognized his his voice and know what he’s about but for the first time listeners, you know, 15,000 feet. What is Daltrey all about?

Blair Crawford [00:00:42] Daltrey is a biometric digital identity company. I think one of the things we really focus on is making sure that biometrics is not separated from cybersecurity. So if I was to recap on that, again, we’re a cybersecurity company that specializes in biometric digital identity. Ultimately, what we deliver to our customers is a passwordless and also a cardless experience. So you can have one identity whether you’re going into your logical environment or into your physical one. So that’s what we do.

Cameron D’Ambrosi [00:01:15] I love that. And I love the fact that you’re anchoring on identity in the holistic sense because I think, you know, look, one of the reasons why we got into this space as a company was because of what we saw as the tremendous fragmentation and maybe divergence is the right word of players in the space and the resulting fragmentation. You know, competing point solutions, if you will, that when you think about it, are all really kind of looking to solve the same set of challenges. And I think the some of the frustrations from being a practitioner in the space of seeing folks throwing technology at problems without actually analyzing, you know, what is the root, what is the real challenge that we’re actually trying to solve here in some sense? Right. Like, you know, you could think about, you know, biometrics, if you boil it down to its essence is, you know, does the template of this face that I’m capturing with the camera or with the sensor match what is stored, you know, as the template. But that’s not really that’s not really what we’re doing. Why are people deploying biometrics? It’s about understanding what is the identity of the person behind this device, behind this transaction, trying to figure out, are you the same person I saw before? And then therefore, what can you do? Right. It’s an enabler. It’s a means to an end. It is not an end in and of itself. And I think we’re seeing, you know, the companies that are thriving in 2022 are taking this approach of thinking about what is the problem that I’m solving? Why are my clients bringing me in, what issues do I have around identity and how can my technology address those issues? Not cool technology for cool technology sake.

Blair Crawford [00:03:15] I seen them. You completely agree and I seen them. I was RC a few months ago and I seen Kevin Mundine speaking about one of the biggest challenges that the workforce and corporations have to face. And it stuck with me because he said, one of the biggest things we have to do is remove anonymity from the interactions we’re having and that’s been driven heavily because so many of us don’t get to meet each other face to face anymore and that problem exists exponentially across our digital platforms. So removing anonymity really drove that problem statement around, knowing who’s doing what, when and where as they’re interacting with your business applications and and accessing the buildings which you operate from. I think to your other point, we’ve ended up with this fractured nature across the. I call it the authorization layer often. And, you know, we’re talking about the identity access management layer. And that can be something like an actor or a microsoft. It could be a forgery. That could be a privileged access management layer like your cyber ark. But it could also be your Honeywell layer or your Gallagher layer or Galileo layer. And I think what we’ve seen happen to your point about fragmentation is that departments or regional expansions of an organization have all been enabled to make their own decision around what that authorization layer may be. It’s very, very difficult for a for a large organization to try and consolidate all of these legacy authorization decisions. So if we take it back to the problem of understanding the identity of the users who we are dealing with. Establish that with a high level of assurance and then figure out how that identity can be applied to all of the authorization layers. Then you actually fix a chunk of the problem because you’re creating a holistic and 15,000 feet perspective around your whole asset. But at least you’re doing it knowing who the person is at the top. And I think that’s the real value of what you do when you create digital identity. And then touching on your other point about biometrics. Biometrics is really the enabler because once you can establish and assure that you’re dealing with the person who you intend to bring into your business, you can then, during any authentication workflow, confirm that the person who is then trying to authenticate is still the person who you onboarded into your business in the first place. Lots of people have seen the recent Verizon report. They still report that 60 to 80% are in cybersecurity. I mean, 60 to 80% of breaches emanate from credentialing credentials are obviously a part of the identity problem. So it just seems like a super obvious attack vector to invest money in fixing. But we’ve got to do it in a way which doesn’t actually cause different types of problems.

Cameron D’Ambrosi [00:06:19] So there’s I mean, yes, so much I want to dove into it new. But I think this first point you raised around, you know, myriad stakeholders and whether that’s business units, whether that’s GEOS, whether that’s all of the above. I think one of the biggest challenges we’ve seen the players kind of trying to break out of this point solution approach that doesn’t take the entirety of the digital identity lifecycle into account is I can’t anchor my go to market strategy around that because when I look to find an internal champion, someone to kind of help me break in to an organization. You know, Chief Identity Officer is a title that doesn’t exist for many organizations. You have stakeholders in, you know, cyber and risk. You have stakeholders on the growth side. Maybe you have stakeholders in maybe a fraud team. You know, how have you taken the approach of breaking through some of those internal silos and identifying someone who can kind of carry that torch for you around, taking a more holistic approach to identity and and maybe, you know, pulling, I like to say, kind of pulling that lens back, having folks that think big like pick your, you know, your business motivational speaker cliche. How have you tackled that challenge? Adultery.

Blair Crawford [00:07:40] Yeah, that’s a great question. I mean, from our perspective, we focus a lot on the internal workforce piece, and that’s just as challenging as finding a champion if you’re talking to your consumer in your cities in facing applications. So speak predominantly to the workforce piece and how we’ve addressed that first. The sizzle has one of the most difficult jobs. They’re continually looking to figure out how to protect the organization. And there are multiple threat vectors which they need to contend with. They are also the most patch people on the planet right now. Everybody thinks they have to go to the size. And the size was clearly a key decision maker and often the decision maker when it comes to implementing the type of technology that we have. But an awesome sizzle from our experience has an awesome team of influencers and champion around them. They’ll speak to what we found is being really successful in terms of who we are having conversations with and how we can support that size. Wine, curt conversation. So a big one is the chief risk officer. The chief risk officer typically has that line straight into the board. I know a lot of size those are speaking to the board right now. But the chief risk officer can obviously see that risk holistically. How it plays out across financial risk, reputation, you know, I.T. risk, operational risk, so on and so forth. So being able to get them to understand the vulnerabilities that credentialing and identity poses to the overall operation across those different pillars which I just mentioned there. And they’re super valuable and typically very receptive to understanding why this technology problem can impact their business so much. I think the other thing I’ll touch on there is that kind of remember who said this, which is annoying by seeing a quote the other day and it said Cyber security is a strategic choice. That was super interesting to me because it is clearly an additive where you had this let’s just say the olden days, we do a timeline on it, but it was a comment and security was like an afterthought. It was like if you had enough budget left, then you’d spend it. That’s clearly very different right now. Cybersecurity and security, generally encompassing all the things that go into that, including identity and credentials, has to be prioritized. You’re seeing massive amounts of massive amounts of money going against it, and you’re also seeing it being part of a fixed agenda item. So sizable chief risk and the CFO has a big part to play. And I believe in a lot of the conversations now. And the reason being the ransomware piece touches straight onto the bottom line of an organization, as well as things like the reputational damage and the financial impacts of a company. So I would say that those are the ones which I don’t think are often talked about together, but we certainly do. And then, of course, you’ve got your downstream, you know, heads of the IAM platforms, you know, your chief security officer within the physical realm, so on and so forth. But we’ve navigated it by not just excluding and so not just focusing on Sisu, but definitely looking out holistic risk and bringing in the money as well with the CFO.

Cameron D’Ambrosi [00:11:05] So, you know, where do we as identity practitioners think the future of the biometric spaces? Obviously we have, I think a number of headwinds and tailwinds that are kind of buffeting ships in the space. Biometrics, you know, as we think about Passwordless, right? I think Passwordless having another moment this year. Announcement of the Fido to launch this past May has a lot of folks excited about the prospect of kind of finally moving beyond passwords. In many cases, they got a bunch of big tech players anchored behind. On the flip side, I think, you know, consumer skepticism in and distrust around technology platforms, around sharing of identity data. I think, you know, I don’t have anything conclusive to back this up, but let’s say, you know, the the vibes are feeling a bit fraught. I think folks are not trusting in institutions as much and and maybe a bit skeptical around using technologies like biometrics. And then you kind of have the government regulatory angle of whether it’s at a national level or at a state or local level, pushbacks on, you know, either all types of biometrics and how the templates are being stored or more specific restrictions on technologies limited to things like, you know, one to end as opposed to 1 to 1 biometrics. Obviously, you founded a biometrics company, so I should hope you’re optimistic about the state of the market. But where do you see us going from here as a broader market? And, you know, do you think that there is going to be a place for both 1 to 1 and one to end biometric deployments? And how are you kind of addressing that consumer education piece as well in terms of getting the end user to feel safe and secure when when using a platform that they might not fully understand from a technical level.

Blair Crawford [00:13:00] There is a lot there and that’s good, but it’s also one of the major problems. So instead of the way that I’m talking about this right now. I’m actually seeing that. The vendors, for example, Dolce, but also the procurers client have to lead the way and how they are asking questions and challenging poor deployments of technology, including biometrics. I think that if you’re going to see in our case that you’re a responsible biometric vendor, which we are, there are a number of pillars that have to be followed, adoption of standards around security and privacy. You need to make sure that you’re deploying consent so that the user knows that they’re consenting to have their biometric enrolled. And a really important piece which touches which then extends from that is the scope. For what reason are you enrolling my biometric? And once I tick the box for the scope, for that reason, I have comfort that you’re not going to do what often happens and have a scope creep situation where your identity or something else related to your data is not being used for a use case which you didn’t consent to. And then dropping back to that first piece, the security and privacy wrapper all the way around, there’s definitely a place for one to end, and there’s also a place for 1 to 1 different use cases. Like most technology deployments. There is a spectrum and it moves depending on what it is you’re trying to achieve. We see the Fido deployments for biometrics being heavily aligned to consumer based use cases. We see the one two end indexed or mixture of one, two and indexed and 1 to 1 being deployed across more secure environments where you need to know the person who’s using the biometric is in fact that person. So just to unpack that a little bit with Fido, you’re really only authenticating the device because there’s no real way to control who was enrolled on the biometric on that local device. From an identity assurance perspective. So really you don’t know who’s using it at any given point in time. You can have a high level of assurance based in some other identity criteria on boarding criteria, and that might be fine. As I said, for certain use cases or privileged users, consumer base use cases. As soon as you’re talking about things like approving large transactions financially, as soon as you’re talking about accessing the most sensitive IP in a business, your customers IP, as soon as you’re talking about accessing the administrative portal that controls X, percentage of your operation is not suitable to do device based authentication when theoretically multiple persons biometrics could be enrolled in that device, especially in BYOD scenarios. And that’s where you see the need to have one two end based matching, which in many cases can be extremely at levels of a sort of exponentially more secure because of what that requires in terms of application security, communication security, infrastructure security, binding of identity to the biometric itself as well as application binding. So it’s definitely going back to the old adage around choosing security or or user experience and matching that along the privacy spectrum as well. And then going back to saying, well, you shouldn’t in either of these scenarios. And when it comes to doing the large biometric matching or the one to end biometric matching for your high security examples have to also jeopardized the user experience. This is one of these old things if you deploy more security. You reduce user experience. If you increase user experience, then you reduce security. That doesn’t need to be the case anymore. And I think that’s a lot of what we’re talking about right now.

Cameron D’Ambrosi [00:17:21] Yeah. I mean, wow. Again, so much too. I feel like we’re going back and forth in this tennis match where we hit three tennis balls at each other and then the other guy can only kind of return one. So I will pick on that security thread. You know, I think the use of biometrics as a security factor is only increasing. I’m hopeful that, you know, again, with this push towards Passwordless. More enterprises, more consumers are going to have the power of biometric authentication in their hands. Obviously, this means threat actors are going to be stepping up their game as well. We’ve been seeing some really interesting trends from across the globe in terms of a very high degree of injection type attacks in Brazil. Apparently a lot of duplication style attacks where folks are trying to open more than one new account using the same set of biometrics in Africa. From your perspective, like what are the threat vectors that you’re seeing and you know, which in your mind are kind of the most pernicious and the ones that you’ve had to really expend the most time and energy, you know, cooking up countermeasures to defend against yet 100%.

Blair Crawford [00:18:41] So that actually touches on your previous point as well because if you’re doing the fight based biometrics, then you cannot protect against the fraudulent account creation because you’re not doing any deduplication or checking on identities being used. From a biometric standpoint previously. So it’s one of the perfect use cases for making sure you’re doing one, two and matching to ensure that that person isn’t already in there. So that’s one of the attack vectors you need to look up when you’re relying on biometrics. Has this person enrolled using other credential information? I know they’re trying to do again with a different identity. What can we do here to say, well, this person is Donald Duck last week for not trying to be Mickey Mouse? No, that’s a really easy one to fix with biometrics. And spoofing the facial recognition iris or fingerprint is definitely something we continually have to address. A couple of ways to look at that. Strong collaboration with the algorithm providers and your cybersecurity principles to be making sure that you have remediation. If there is a new type of spoof which is developed so that you can train the models to be able to remove that threat. Right. And security is never 100%. Anyone who’s seeing they have a silver bullet to security across any of the technologies which can be deployed as a living and a practical reality. So what it means is that vendors have to accept and customers have to accept that they may have vulnerabilities across their asset from a security perspective, which is biometrics, just generally speaking. So it’s really about making sure they can remediate that if something pops up and that they have designed the layers and their security to minimize or negate entirely the actual practical impact. So the spoofing piece relies on us being able to update algorithms and the models to be able to defend against attack vectors, which we see in the wild. The other one as well is we’re seeing very poor practices when it comes to application security. So let’s just say that it’s easy to get into the biometric business. You can do some safety checks. You know, you can read some passports. What is not easy to do is to protect the integrity of the authentication workflow. That means that you’ve got to deploy advanced security techniques at device level and application level and infrastructure level, and then all the bits in between that connect that stuff together. We are seeing complacency. We’re seeing a lack of standards in terms of tenders which are coming out around the cyber security aspects of biometric requirements. That is actually an industry problem and which we are pushing back against fairly passionately. I mentioned at the very beginning of my intro, you know, I used to introduce us as a biometric digital identity company, like we’re a cybersecurity company. The works with biometrics. So that’s one of the biggest challenges I think that we need to address in the market. And I think that back to my earlier point, persecutors of technology have to be better at seeing you need to be able to adhere to these cybersecurity standards as it applies to my authentication workflow. The final one that I would touch on is not to pick on the fight on the device based biometrics too much, but unfortunately this came up in a meeting as come up in a meeting which was good for us. And a few weeks ago, the where the customer was contemplating whether to cut down the Daltrey or whether to go down the route of a biometric device based provider. So a very large one, I won’t name them here, but it was a very large one and. The debate around device based authentication versus doing centrally managed biometric where you could check the identity against the onboarded identity. That was all coming into play. And one of the engineers, he put his hand up in the room and he went, I’ve enrolled my wife. And my biometric on my device because she uses my phone sometimes and I just seen the room all look each other going. That’s the same biometric which is used potentially to authenticate into our corporate network. And that’s where that started to unravel because they said, I wonder how many people across our businesses are enrolling for the sake of convenience, their kids and to their partners and to it. And this is a problem which I think we may be creating but not understanding. Know the practical risk of this. I don’t think we full and fully understand yet. But it does raise the question if we are removing passwords, what is the other thing that we need to do to make sure we’re not just replacing that with a problem where we’re never entirely sure who’s actually using the device based authentication mechanism? And how does that play out as that attack vector is exploited and becomes more obvious to threat actors? So that’s the other one that I would touch on to summarize, making sure you can control exactly who is biometric you’re dealing with as they authenticate into the network and making sure that you understand the onboarding process to get a high level of assurance of that person, making sure you’re deploying application level security as well as the biometric itself, and then adhere to standards. Don’t neglect the standards which a ton of really smart people are defining based on real world environments. So is a ton in there for you to unpack as well? Will be here already.

Cameron D’Ambrosi [00:24:43] So, you know, looking to the future, do you think that we can finally kill the password? I think it’s a topic that’s top of mind for folks, especially, again, with, you know, this big Fido announcement. We’ve been talking about the death of the password for what feels like 20 years. You know, do we have a shot this time, if not of at least killing the password, maybe at least thinning out the password heard so that folks interactions with passwords are fewer and more far between.

Blair Crawford [00:25:21] Yeah, 100% at an application level. So I use our application level 100%. Passwords can go. The technology is there. It’s mature industry interface standards have been developed. A.I.M. and wide DC allows that to work across different ecosystems. So certainly from, let’s say, a general user accessing applications, passwords can go. I think there are definitely some challenges to. In the depths of technology where passwords are kind of embedded into the lower levels and they’re not necessarily at the application level. I think that’s going to be the next attack vector. I have also written the next challenge for removing passwords, and there are obviously ways where you can have, you know, hardware based tokens and you can have various controls and protocols to do that. But I think once you’re past the application layer and you’ve got into the kind of depths of the technology, if your passwords have been embedded into your legacy technology and are really deep level, then that needs to be addressed as well. The way that we think about that, though, if you can. But going back to that 68% and start from Verizon, if you can remove that. As a threat vector in your environment. And that’s mostly talking about user authentication into the application level in terms of a breach. If you can remove that, it allows the organization from our opinion to then focus on the more complicated or sophisticated types of attacks which still get to exploit, pass their firewalls, you know, to skip the authentication workflow entirely, to be able to then get into where passwords have been hardcoded 20 years ago into a stack that they can’t remove and they don’t want to have anymore. And I think that’s where we’ll start to see divergence and focus of budget, too, to then say, well, how do we fix these problems? Which we fixed an application layer and some of the depth of a technology which are a little bit more complicated to fix that make kind of sense the way that I’m describing that there about the different heavy use cases and they’re touch points, I suppose.

Cameron D’Ambrosi [00:27:41] It does. And and, you know, I think, look, it’s fun to say something like the death of the password, but ultimately, again, and not to deconstruct this argument so much that it becomes like this, you know, hypothetical thing we’re talking about, like when we’re talking about passwords, we’re talking about. Right. A shared secret. But, you know, biometrics, whether it’s a something you are something you know, something you have like the password to some degree exists in a database somewhere. It’s just a different form of of conveying that that information. And I think when we’re talking about the death of a password, hopefully what we’re moving past is the worst possible implementations of the something, you know, format, which, you know, happened to tick all of the boxes of the things that are the absolute worst for human brains to do and the absolute best for computer brains do. Right. And figuring out ways like even where we are anchored on is something, you know, factor figure out how to make them more user friendly, more privacy preserving and hopefully more penetration proof, you know, to keep the the bad actors out. And I think, you know, moving towards a device centric approach where you can do things like, you know, layer on on device biometrics can really be an elegant workaround. You know, I think that the degree to which people don’t realize that touch ID and face ID on your iPhone for most applications are just a password manager. You know, I think that that gets lost in the shuffle to some degree. And I would argue that, you know, if all those types of authentication were what consumers saw as touch points like, even though there’s still a password in there, you know, we have sanded many of those rough edges off that that make the. The threats from how consumers use passwords. The most pernicious because, you know, technology doesn’t have feelings. It’s you’re right, it’s a tool just like anything else. And unfortunately, it is down to us, you know, as users, how we use that technology and our own human shortcomings and then the administrators who are choosing to deploy it. So I think it’s about, you know, taking stock of what tools do we have in our arsenal and how do we know that people are going to be using them and then being mindful and user centric in those deployments?

Blair Crawford [00:30:12] Yeah, I agree. I’m glad you brought that up, because a number of the deployments which we’re seeing around, especially device based and consumer environments, which then unfortunately find themselves into work force environments, is that they’re not fulfilling the password. So it’s a pure convenience play which is covering up a really bad password in the first place. So a threat actor, all we have to do is figure out your phone and just assume that this plays out like this and they get your phone. They just don’t look at the biometric a few times and then all of a sudden they’ve got four digit passcode to get into your phone, which then becomes your authentication method and the X, Y and Z limited risk of that being exploited in a consumer based if that’s an attack vector that can be exploited across your disparate workforce globally that you’ve deployed. A very poor password manager with a low level of quality in terms of the and the length and complexity. And that’s definitely going to get targeted is an easy one. And that’s where we’ve got to make sure that we’re properly deploying the authentication mechanisms to see. It shouldn’t just be sort of filling a password. It should be talking based authentication and, you know, with key management and all the other things that wrap around in terms of application security, making sure that we can maintain the integrity of the workflow for dealing with the person that we tend to deal with. All of those things come into play. And you’re spot on. I think that as long as people are buying these technologies to think they’ve got, they’ve gone passwordless. They’ve potentially just opened up a whole world of complacency, pain, and that will get them hard down the line if they don’t look under the hood and figure out exactly what it is they’ve just bought.

Cameron D’Ambrosi [00:32:07] I couldn’t agree more. So, look, we could be here all week and into next having a grand old time and chatting. But we probably should bring it home for the sake of our listeners. Crystal ball predictions, markers for the future you want to lay down, you know? Are you feeling generally optimistic? What’s giving you excitement? And where are some areas that you’re maybe hopeful but but aren’t exactly sure where we’re going to see things, you know, grow and shift in the space.

Blair Crawford [00:32:39] Now, biometrics will be a massive catalyst for removing passwords. And as already. So there’s the first thing that I see developing and will continue to develop. And where we’re really focusing though and where we’re seeing significant uptake is across large enterprise really have the most to lose in terms of reputational damage as well as financial damage. So that’s where we’re seeing a real drive for proper passwordless critical national infrastructure. And, you know, unfortunately, modern warfare is for. By trying to turn off the power and trying to turn off utilities generally. So being able to provide stronger credentialing into our critical national infrastructure. And we’re starting to win more significant projects across that industry now in health care and in airports and utilities, generally speaking, as I said. So I think we’ll see significant trends there. But I also think that it will start to see from a control perspective many more standards and then many more mandates flowing down from government for certain times of types of assets like critical national infrastructure, to say you must have this level of control when it comes to you, to authentication and passwords are probably going to go, especially the application layer. So that would be my bet, call it. We’re going to see the controls being mandated across the assets where there is most potential to do damage to the way that we live. And critical national infrastructure is certainly one of those.

Cameron D’Ambrosi [00:34:30] I love it. Shameless plug opportunity for folks listening who like the cut of your jib. Want to learn more about Daltrey. Get in touch with you. Learn about how to deploy the solution. What’s the best place for them to go?

Blair Crawford [00:34:46] Best place to go is to our website Daltrey dot com. And then on there you’ll find links to all of our socials. And then if you also like the sound of my voice, then I won’t take offense if you don’t. But I won’t know if you do it. And you can also catch me on my podcast, which you’ve been a guest of identity today. So you can find that I know your normal podcast locations.

Cameron D’Ambrosi [00:35:10] Well, as someone named Cameron, I believe I am legally obligated to enjoy your your Scottish accent. So if anyone, any of our listeners have a problem with it, you’ve got beef with me as well. Blair, thank you so much for your time. Really appreciate it. And I hope to catch up with you again soon.

Blair Crawford [00:35:28] Fantastic. And I look forward to doing one face to face one day. You’ll see in New York Alley, Sydney.

Cameron D’Ambrosi [00:35:33] How about Australia? I’ve never been to Australia, so we’ve got to make that happen too.

Blair Crawford [00:35:36] Sure, we’ll look for some nice weather because as I said earlier on us, it’s not the best right now. But we will figure something out, I’m sure.

Cameron D’Ambrosi [00:35:44] Fantastic. Well, thank you again.