AWS re:Invent 2023: Passwordless Authentication
2023-12-22 20:8:35 Author: securityboulevard.com(查看原文) 阅读量:8 收藏

Speaker 1: This is Techstrong TV.

Shira Rubinoff: Hi, this is Shira Rubinoff. I’m here at Amazon re:Invent 2023. I’m here with Graeme Speak, CEO, and founder of BankVault. Graeme, it’s such a pleasure to be with you here today.

Graeme Speak: Thanks, Shira. It’s really exciting to be here too.

Shira Rubinoff: Well, thank you. So Graeme, I’d love you to share with the audience a little bit about who you are, what you’ve done a little bit in the past, and then we’re going to dive deep into MasterKey. So please share with our audience a little bit about yourself.

Graeme Speak: So I’m the founder and CEO of BankVault Cybersecurity. So we’re a technology innovation company. So we run an innovation team that actually develops new cybersecurity products. So we’ve got probably 25 innovations, six patent families, five products in market. But the really big one that we’re focused on is called MasterKey, which provides passwordless access to web login portals. We were developing originally cloud computing platform technology and literally just took those ideas and pivoted it into this cybersecurity realm. So our thinking’s been quite different. We’ve settled into the industry backwards and the idea is actually really solid. So we keep on building on the shoulders of what we’ve done before, so hence we have these 25 innovations now.

Shira Rubinoff: That’s wonderful. And can you explain a little bit to our audience how your product, how MasterKey differs from everything else out there, because we certainly have heard about passwordless logins and the like and different in the ecosystem, the cybersecurity world, but your certainly is different than other things that I’ve heard about. So please share with our audience a little bit about that.

Graeme Speak: It is, I mean, so passwordless in the last year, since 2021 has become one of the hottest sectors in cybersecurity. The approach that we’ve taken was specifically around web logging portals, SaaS companies where a user is logging in through their browser onto a site. So typically a large enterprise with a business-to-consumer interface, or a SaaS company. What’s different about our solution is that you can integrate this. It’s a cosmetic change effectively to the front end of the website. So the integration is extremely shallow.

We’ll integrate with whatever backend is there, but the most important thing is that there is nothing for the user to see. There’s nothing to download, install, or configure. So it’s essentially invisible to the user, it just starts working. It looks like magic, but what this means is that you could actually deploy this on mass virtually overnight. So the really key thing that we realized is more than just a cybersecurity solution, this is going to provide seamless access for users, which is going to increase engagement. It is stronger than a username, password, normal login. So that builds trust and we’re essentially going to reverse login abandonment. And this is a major issue for any online services.

Shira Rubinoff: Well, certainly we talk a lot about no extra steps for users when we talk about the human factors piece of cybersecurity, when you put the onus on the user, they’re responsible to do certain steps. And when people are working at warp speed and they’re multitasking, the last thing they want to do is think about the different steps they have to do to be secure. And certainly, we’ve heard about in read in the industry that if there are steps, they’ll circumvent it, they’ll go around it, they won’t do it. And then people are left vulnerable. So the no extra steps I think is a very pivotal spot for your organization. The fact that it does work, you can deploy on mass, it doesn’t take a long time to deploy, and really there’s no training. And that talks about the different areas about training your users and training people on how to utilize the system, the fact that there’s no steps, and it works, that’s pretty amazing. So could you describe how you’re able to do this? What is your secret sauce, if you can share that with us?

Graeme Speak: Yeah, it is actually very clever. And in fact, if you can, I mean change management education is never zero, but ours trends towards nil, which is such a strong advantage.

Shira Rubinoff: Okay.

Graeme Speak: So we have customers that literally can now deploy within minutes instead of months. So the trick here is actually quite clever. It’s a decentralized protocol. We’re generating three security secrets behind the scenes. It’s typically a usable login with their mobile phone direct to the website. It just recognizes the logs in. If you’re on a workstation, we want to harness the mobile phone. And so we’re presenting a QR code on the screen. If you scan it with your phone camera, it pairs your phone’s browser to the same web service sessions on the screen, authenticates the login, logs in. So there’s actually nothing installed on any device and there is no setup. And what we’re doing is with these three security secrets, one’s in the mobile phone, one’s in the web server, and the trick here is there’s some infrastructure in between which can run on print, or run in Amazon, in the cloud anywhere.

It doesn’t matter. It’s decentralized, meaning that these secrets are never released. There is no singular attack service. It works as a one-way vector. So it can only ever be resolved by the organization’s web server. When that process is initiated by the user’s mobile phone, perhaps their face ID for proof of presence, et cetera. And I think what I would say is if you look at the market, the addressable market that we’re looking at, which is web services, pretty much 99% of all websites on the planet today use username, passwords, or social media. The social media authentication is a really poor idea. What happens when Facebook blocks your account? Do you really want Facebook knowing everything that you do? Of course, you don’t. So what we’re doing is we are providing, we’re basically securing the user from the weakest part of the network, which is always their own device. We are giving them a seamless login experience, which is going to increase engagement. We’re uplifting this to multifactor authentication in one step, it’s invisible to the user. And an organization can deploy this in minutes.

Shira Rubinoff: And organizations talk similarly about this and they ask what about man-in-the-middle attacks? How do you circumvent that?

Graeme Speak: Yeah, this really sidesteps the man-in-the-middle. I mean no single cybersecurity solution is ever going to be … You could never say it’s not unhackable, but it’d be incredibly unlikely. So we are probably not the attack surface. That attack is going to try to get to the backend somehow, but it won’t be through the use device anymore. We’re addressing, I think the major attack surface in any network, which is always the end user’s device.

Shira Rubinoff: Exactly. That is very true. And let’s talk about, again, more dealing with the market. Who would be your perfect ideal customer? When we talk about solutions, talk all about the nice to have, need to have, and must have. Nice to have is pretty much everything out there, need have is when we have the dollars, we’ll spend it. Why are you a must-have? Why should the dollars be spent on your product now, and who would be an ideal customer for you?

Graeme Speak: So our target customers are typically going to be an organization that has a interface to an external customer. So typically a business-to-consumer interface. What we’re doing is providing seamless access for the users. It’s going to increase engagement, it’s stronger security. We’re reversing login abandonment. I mean these are really strong benefits for the end users. So this actually becomes a business driver. It’s an accelerator for SaaS companies. The reason that you would do it is basically if you don’t, honestly, in the next year or so, you’ll see a lot of the world moving towards passwordless. It’s already here. It’s like a scenario that’s already hit the shore. It’s happening around us. The solutions on the market today, whether it’s the FIDO system, FIDO standard web orphan, or others are always complicated for the user. You’ve got to download, install, you got to configure software, you’ve got this massive change management project.

I mean, even with the FIDO, I mean we are FIDO-compliant ourselves. So we’ll provide that. We can go up to five or six factors of authentication. The market isn’t asking for that. The market just needs seamless. And we can do this in a way that’s invisible to the user. So if an organization wants to basically provide a better user experience, or if security is a major issue, and of course it is, then here’s a solution that you could literally deploy straight away without a lot of fuss. I’ll actually just also add, there is no technology risk or security risk. There’s no technology risk because there is no single point of failure. In the worst possible situation where for some reason the passwordless technology has stopped working, who knows why, the users can still login with their original credentials. And there is no security risk here because this is the user’s normal input, only we’ve abstracted away, they no longer need to enter it through the weakest part of the network, which is their own device. It’s now controlled by the enterprise, by the organization.

Shira Rubinoff: Well, I will say one of the things also, that I like about your system is the users are behaving like they normally would, you don’t have to retrain them, they don’t really have to think about it. It’s just a natural continuous login the way they always have, yet they’re secure. And I think that is something very interesting that people should take note of. And something else I’d like to ask you, in the cybersecurity world, I always ask my interviewees when we speak, what is a helpful hint you could talk about for a moment to the global audience here about something you’d let them know that they should take note of, or they should think about when they’re dealing with their everyday life in cybersecurity?

Graeme Speak: Oh, goodness me. I keep coming across people, when this audience, I mean they’re already well reformed but there is so much naivety out there about what the actual risk that’s occurring. People think they’re a small fish and it’s not going to bother me. And I’m not really clicking on anything on the internet. I’m using literally a guy friend that I met in the street the other day, he’s using an old Mac that he doesn’t upgrade because he thinks that’s more secure.

And it’s just like these people are clueless, of course. We need to educate the people. And it’s just basic, it’s like when we were kids, we were taught to be careful when you cross the street because the street is dangerous. Look to the right, look to the left. Today the internet is dangerous and we need to be educating people that you don’t just go out there. You’ve got to be super careful. I mean, I give a lot of talks, and every time I start, I normally explain to the audience how I’ll hack them. And I’ll do this in 30 seconds. I’ll have a hundred percent of their attention because they had no idea it’s so simple.

Shira Rubinoff: Sure, sure.

Graeme Speak: I’m now in the right to actually go into a bit more detail about how you can actually protect yourself, yeah. So yeah, education.

Shira Rubinoff: Education is key. A hundred percent. Well, inform people, make the right decisions. And I would even say to further on what you’re saying is stop and pause, think before you act, think before you’re doing. And almost looping that back into your technology, you’re taking away that piece of something that people have to think about to be secure. You’re making them secure without thinking. So that’s one extra thing they don’t have to worry about. Any further things Graeme that you’d like to share with our audience about MasterKey?

Graeme Speak: If any organization would be interested in trialing this, honestly, we can set this up in a few moments. I can literally set up a demo in 60 seconds. This is so simple for the user. You can experience it in your own hands within moments. As I said, there’s nothing to download, install, or configure. It literally just starts working. I have people say, “This looks like magic. How do you do this?” And it’s deep tech, it’s very clever.

Shira Rubinoff: That’s excellent.

Graeme Speak: And so it’s not trivial on the inside, but the experience for the user is essentially seamless. So this will scale massively. So it can be hosted on-prem if you need it. You can just use the cloud version, which is simple and cheap. It’s not expensive.

Shira Rubinoff: Sure.

Graeme Speak: And yeah, we’d love to partner. We are expanding rapidly now. I would just say one of our go-to markets is actually through online SaaS marketplaces. So SaaS marketplaces, we are one right now called Odoo ERP. We’re the only passwordless option in that marketplace, there is some 300,000 businesses use Odoo and I can deploy this in three to five minutes.

Shira Rubinoff: That’s wonderful.

Graeme Speak: Yeah, there’s dozens and dozens of these marketplaces. So generally our competitors can’t reach these markets because they’ve got hefty integration at the backend. And every user has got to download, install particular software, whereas ours doesn’t.

Shira Rubinoff: Great.

Graeme Speak: So it’s a very sharp competitive edge that elevates SaaS in a very large marketplace. And I’ll just say one more thing too, we are raising more investment rounds, if anybody’s interested. We’d be loving to talk.

Shira Rubinoff: Well, I encourage our audience, if you’d like a demo, please reach out to BankVault with their wonderful technology.

Graeme Speak: Or, Masterkey.

Shira Rubinoff: MasterKey and Graeme will be happy to speak with you. And Graeme, thank you. It was wonderful speaking to you today here at the Amazon re:Invent Conference here in Vegas and I look forward to speaking to you again soon.

Graeme Speak: Thanks so much, Shira.

Shira Rubinoff: Thank you.

Recent Articles By Author


文章来源: https://securityboulevard.com/2023/12/aws-reinvent-2023-passwordless-authentication/
如有侵权请联系:admin#unsafe.sh