1 00:00:09,700 --> 00:00:12,500 You're listening to the identity of the sender podcast. 2 00:00:12,800 --> 00:00:14,900 This is the show that talks about identity and access 3 00:00:14,900 --> 00:00:18,000 management and making sure you know who has access to what 4 00:00:18,100 --> 00:00:25,000 let's get started. Welcome to the identity at the 5 00:00:25,000 --> 00:00:26,800 center podcast. I'm Jeff and that's Jim. 6 00:00:26,800 --> 00:00:28,600 Hey, Jim. Hey, Jeff, how are you? 7 00:00:28,700 --> 00:00:30,900 Oh, not so bad yourself. I'm doing good. 8 00:00:31,000 --> 00:00:34,300 Did you think you would come to Seattle and have great pizza? 9 00:00:34,900 --> 00:00:38,300 No, the Sheraton Grande, Seattle has great pizza. 10 00:00:38,500 --> 00:00:43,000 They had lunch today, it was fantastic, but I'm having a bit 11 00:00:43,000 --> 00:00:49,200 of a carp coma at the moment so but you know nothing that 12 00:00:49,200 --> 00:00:53,700 caffeine can't fix so, all right, I'm sorry. 13 00:00:53,800 --> 00:00:58,300 I grew up in Chicago area, which is a pizza mecca for a lot of 14 00:00:58,300 --> 00:01:03,000 people. I am of the persuasion that most 15 00:01:03,000 --> 00:01:06,200 Pizza is pretty good. Like, it's pretty, even a bad. 16 00:01:06,200 --> 00:01:09,500 Pizza is still pretty decent with the exception of one that I 17 00:01:09,508 --> 00:01:11,000 had in Paris, which was completely awful. 18 00:01:11,600 --> 00:01:13,900 We're not going to go there right now and I feel like that 19 00:01:13,900 --> 00:01:18,800 is common for the most part. I mean, you're talking do cheese 20 00:01:18,900 --> 00:01:21,600 sauce, some toppings, things like that. 21 00:01:21,900 --> 00:01:25,200 Yeah, BFFs admit to some pizza. Better than others, right? 22 00:01:25,200 --> 00:01:26,200 It sounds better than others for sure. 23 00:01:26,200 --> 00:01:27,500 Yeah. But even a bad Pizza. 24 00:01:27,500 --> 00:01:30,900 Still pretty good. Yeah, this was good pizza. 25 00:01:31,000 --> 00:01:34,000 It wasn't like good bad Pizza. There's just good. 26 00:01:34,000 --> 00:01:36,400 Good pizza. I didn't have any of the pizza 27 00:01:36,400 --> 00:01:38,600 lunch and saying, yeah, you missed out. 28 00:01:38,800 --> 00:01:41,300 You also eaten the The partially cooked chicken. 29 00:01:41,500 --> 00:01:45,400 No, I have the partially cooked pasta was fine. 30 00:01:45,400 --> 00:01:48,300 It was difficult to scoop because there was so much cheese 31 00:01:48,300 --> 00:01:51,800 on the on, the spooned, couldn't like get it to come off the 32 00:01:51,800 --> 00:01:54,100 spoon. So it's like, I'm like one Piece 33 00:01:54,100 --> 00:01:57,700 of pasta to piece of pasta. Trying to get it but those are 34 00:01:57,700 --> 00:02:00,100 all first world problems. I mean, I yeah, the first world 35 00:02:00,100 --> 00:02:04,800 problems but I'm thinking that conferences and this conference, 36 00:02:04,800 --> 00:02:08,699 the authenticate 2022 conference which were sitting in shout-out 37 00:02:08,699 --> 00:02:14,200 to and Russia are again for, you know, and Adrienne for settings 38 00:02:14,200 --> 00:02:18,300 up with a fantastic podcasting milk, which is where we're 39 00:02:18,300 --> 00:02:23,700 podcasting from now. But, you know, I think the food 40 00:02:23,800 --> 00:02:24,700 Was so good. Here. 41 00:02:24,700 --> 00:02:28,800 That is like having it might give thanks giving a run for the 42 00:02:28,800 --> 00:02:32,000 money in terms of the amount of weight that I put on, that's a 43 00:02:32,000 --> 00:02:33,300 bold statement. Yeah. 44 00:02:33,300 --> 00:02:36,400 Well, they also had a great breakfast, buffet downstairs. 45 00:02:36,400 --> 00:02:38,900 So I don't know. I'm going off about the food. 46 00:02:38,900 --> 00:02:41,000 I've eaten a lot of food since I've been here. 47 00:02:42,100 --> 00:02:43,600 Yeah. Why don't we talk identity? 48 00:02:43,600 --> 00:02:46,300 As you mentioned, we are at the authenticate conference here in 49 00:02:46,300 --> 00:02:49,100 Seattle, we've been having lots of great conversations with 50 00:02:49,100 --> 00:02:52,700 folks that are here, some who are giving presentations some 51 00:02:52,700 --> 00:02:57,400 that are not and just The dining space, Our Guest right now falls 52 00:02:57,400 --> 00:02:59,700 into the former category. His name is Tom Sheffield. 53 00:02:59,800 --> 00:03:02,500 He's a senior director cyber security at Target. 54 00:03:02,500 --> 00:03:04,800 Welcome to the show. Tom, thanks for having me. 55 00:03:04,900 --> 00:03:06,800 Yeah, thanks for so much for being here. 56 00:03:07,300 --> 00:03:10,700 You're going to give a talk tomorrow as we're recording this 57 00:03:11,200 --> 00:03:15,400 around targets, Enterprise journey to adopt Fido, but this 58 00:03:15,400 --> 00:03:16,400 is the first time you've been on the show. 59 00:03:16,400 --> 00:03:19,600 Hopefully, not the last, but we have tradition whenever someone 60 00:03:19,600 --> 00:03:21,900 joins the first time, I like to find out a bit more about their 61 00:03:21,900 --> 00:03:24,600 identity background sort of their, their Origin story. 62 00:03:25,100 --> 00:03:26,600 How did you get into that dining space? 63 00:03:26,600 --> 00:03:29,100 Is something that you chose, or did it choose you? 64 00:03:29,600 --> 00:03:31,000 I think it's a combination of both. 65 00:03:31,000 --> 00:03:33,800 I chose to take the role but at the moment, I didn't realize it 66 00:03:33,800 --> 00:03:36,000 was an identity role. I started out in General 67 00:03:36,000 --> 00:03:39,300 Electric at the aviation division in Cincinnati, Ohio. 68 00:03:39,800 --> 00:03:42,400 And it always been in a, what I would call an application 69 00:03:42,400 --> 00:03:44,900 infrastructure type role. So application to support 70 00:03:44,900 --> 00:03:47,000 product teams, engineering teams, things like that. 71 00:03:47,500 --> 00:03:50,000 And there's an opportunity at our corporate headquarters to 72 00:03:50,000 --> 00:03:52,700 launch at the time will be called the directory initiative. 73 00:03:52,900 --> 00:03:55,400 And didn't know really what? It was but it ended up being the 74 00:03:55,408 --> 00:03:58,600 beginning of our single sign-on capability for GE and it had 75 00:03:58,600 --> 00:04:01,300 becoming the capability, the core capability for our 76 00:04:01,300 --> 00:04:05,300 centralized provisioning for GE. And then at the time, it was 77 00:04:05,308 --> 00:04:07,800 just one of those things that we did was a productivity play, 78 00:04:07,800 --> 00:04:10,000 right? We had situations, you know, 79 00:04:10,000 --> 00:04:12,800 prior to single sign on every user had multiple accounts, 80 00:04:12,800 --> 00:04:14,600 multiple logins, multiple passwords. 81 00:04:14,900 --> 00:04:17,100 We had different ways to get access to different systems. 82 00:04:17,399 --> 00:04:20,800 And so at the time, we really focus on productivity and the 83 00:04:20,800 --> 00:04:24,200 sarbanes-oxley hit a couple years later and You started to 84 00:04:24,200 --> 00:04:26,400 see some of the compliance opportunities that identity 85 00:04:26,400 --> 00:04:28,600 could play Within. And so we started focusing more 86 00:04:28,600 --> 00:04:31,200 on compliance in addition at. So as you're doing centralized 87 00:04:31,200 --> 00:04:33,100 provisioning, you get centralized access. 88 00:04:33,100 --> 00:04:35,300 Your views are the capabilities for centralized access reviews. 89 00:04:35,600 --> 00:04:38,600 So we started driving a lot of, a lot of our focus on to 90 00:04:38,600 --> 00:04:41,500 ensuring GE remain compliant. So beings actually being the 91 00:04:41,508 --> 00:04:45,400 initial one and then after, you know, a few years cybersecurity 92 00:04:45,400 --> 00:04:48,500 became more like what it is today where you actually had a 93 00:04:48,500 --> 00:04:52,000 security Focus simultaneously and I've been doing it, you 94 00:04:52,008 --> 00:04:55,500 know, I guess now for most last Two years and it's so amazing 95 00:04:55,700 --> 00:04:59,000 how far it's come. So it sounds to me like it chose 96 00:04:59,000 --> 00:05:02,300 you to some degree, which has been sort of my working Theory 97 00:05:02,300 --> 00:05:05,700 over us. Say this is I think episode 178 98 00:05:05,800 --> 00:05:09,700 and we think maybe two people. During that time have said that 99 00:05:09,700 --> 00:05:13,200 they actually chose identity. Well, I think if you're an I am 100 00:05:13,200 --> 00:05:15,900 live for today. You've been doing, I am for 20 101 00:05:15,900 --> 00:05:18,900 years, there's no way that you chose it because most people 102 00:05:18,900 --> 00:05:20,500 didn't even know what it was back. 103 00:05:20,500 --> 00:05:22,900 Then this is absolutely true. I would agree. 104 00:05:22,900 --> 00:05:23,900 Yeah. If you're coming into To the 105 00:05:23,900 --> 00:05:26,000 industry. Now you're likely choosing it 106 00:05:26,000 --> 00:05:29,300 and you're probably choosing it from a cyber security angle not 107 00:05:29,300 --> 00:05:31,900 as much maybe as an identity angle and what we found is that 108 00:05:31,900 --> 00:05:35,000 identity its core identity is core to a good cyber security 109 00:05:35,000 --> 00:05:37,000 posture. Yeah, I would say it's at the 110 00:05:37,000 --> 00:05:40,700 center. Let's talk a little bit about 111 00:05:41,100 --> 00:05:43,700 the talk that you're going to give tomorrow and it's titled 112 00:05:43,700 --> 00:05:46,800 insights from targets Enterprise journey to adopt Fido. 113 00:05:47,300 --> 00:05:49,300 So that sounds very cool and impressive. 114 00:05:49,400 --> 00:05:52,100 What is the, you know, the the subtext there that we should be 115 00:05:52,100 --> 00:05:55,300 thinking about as we go into it for For your talk tomorrow. 116 00:05:55,500 --> 00:05:56,900 Yeah, we. So we've been on our final 117 00:05:56,900 --> 00:06:00,500 Journey for multiple years. Now most recently about a year 118 00:06:00,500 --> 00:06:04,000 and a half ago, we'd made the transition to support Fido as 119 00:06:04,000 --> 00:06:05,600 what I call a primary authenticator. 120 00:06:05,600 --> 00:06:09,300 So replacing the use of the password and using Biometrics. 121 00:06:09,300 --> 00:06:12,700 So we chose to use platform authenticators on our devices. 122 00:06:12,700 --> 00:06:15,700 So laptops and mobile devices, very natively. 123 00:06:16,100 --> 00:06:18,600 And so we've been talking about our journey now to get to that 124 00:06:18,600 --> 00:06:20,800 point. We had deployed phyto previously 125 00:06:21,100 --> 00:06:23,300 as a second Factor authentication are for step 126 00:06:23,300 --> 00:06:26,200 above Indication risk-based authentication, but we quickly 127 00:06:26,200 --> 00:06:28,700 saw the opportunity to leverage Fido as a possible alternative 128 00:06:29,000 --> 00:06:32,300 and so we haven't eliminated password yet but we have 129 00:06:32,300 --> 00:06:34,600 absolutely tried to reduce our dependency on passwords across 130 00:06:34,600 --> 00:06:37,100 our Enterprise. So you mentioned that this has 131 00:06:37,100 --> 00:06:39,500 been a multi-year journey to get this done that. 132 00:06:39,500 --> 00:06:42,100 I think, I think a lot of people who say go fight, oh we're done, 133 00:06:42,100 --> 00:06:43,800 right? And I think Fido has been around 134 00:06:43,800 --> 00:06:46,300 for a while. So most 10 years. 135 00:06:46,300 --> 00:06:48,000 Yeah exactly. We're coming up on the 136 00:06:48,000 --> 00:06:50,300 anniversary of, you know the passwords going to die soon. 137 00:06:50,300 --> 00:06:51,600 Right. So we saw her do not want to get 138 00:06:51,600 --> 00:06:55,700 into and I think about From your perspective, sort of leading 139 00:06:55,700 --> 00:06:57,900 this group and sort of this charge through it. 140 00:06:58,100 --> 00:07:01,500 What are some of the challenges are wrinkles that, you know, the 141 00:07:01,500 --> 00:07:03,500 people who are listening us are probably out in the real world 142 00:07:03,500 --> 00:07:05,400 doing real identity, things. And their thing about some say 143 00:07:05,400 --> 00:07:08,300 that Fido sounds cool like what are the things that I could be 144 00:07:08,300 --> 00:07:10,500 looking out for maybe gotchas or things like that? 145 00:07:10,800 --> 00:07:14,700 Yeah, I think there's obviously going to be a well I said 146 00:07:14,700 --> 00:07:17,300 there's likely going to be a cost component, right? 147 00:07:17,300 --> 00:07:20,000 So getting buy-in for your organization on why you need to 148 00:07:20,000 --> 00:07:23,000 do it and for us it actually starts to hackathon event. 149 00:07:23,100 --> 00:07:26,400 We Actually chose to write our own Fido server initially. 150 00:07:27,100 --> 00:07:28,900 And as far as a hackathon, we were trying something. 151 00:07:28,900 --> 00:07:31,000 We are helping helping to give our team members opportunities 152 00:07:31,000 --> 00:07:33,900 to learn new technologies or new skills and it just grew from 153 00:07:33,900 --> 00:07:35,000 there. So it's something that we've 154 00:07:35,000 --> 00:07:38,200 really been able to tackle organically, we haven't required 155 00:07:38,200 --> 00:07:41,400 significant investment in our world and so it's fun that we 156 00:07:41,400 --> 00:07:44,600 can just continue to try and push out, sort of organically 157 00:07:44,900 --> 00:07:47,000 and keep pushing. I will admit, we're probably 158 00:07:47,000 --> 00:07:51,300 very unique there. We have a very mature Enterprise 159 00:07:51,300 --> 00:07:54,200 authentication pattern. So as we integrated fight, We 160 00:07:54,200 --> 00:07:56,600 integrated fight with hundreds of applications initially 161 00:07:56,900 --> 00:07:59,400 because we had that tight pattern again, that's probably a 162 00:07:59,407 --> 00:08:01,800 little bit unique to Target. So depending on where you're 163 00:08:01,800 --> 00:08:04,100 coming from your story, your starting story might be 164 00:08:04,100 --> 00:08:06,600 completely different. I would say at the at the most 165 00:08:06,600 --> 00:08:08,700 basic stop. Once you understand what Fido is 166 00:08:08,700 --> 00:08:11,800 and what it can do, it's about creating the business case and 167 00:08:11,800 --> 00:08:14,000 your business case, maybe a financially driven one. 168 00:08:14,000 --> 00:08:15,600 Right. Maybe your helpdesk costs are 169 00:08:15,600 --> 00:08:18,300 expensive around passwords maybe use your frustrations run. 170 00:08:18,300 --> 00:08:20,200 Passwords are very very challenging. 171 00:08:20,800 --> 00:08:24,600 It may also be a security one. Maybe you're in the middle of 172 00:08:24,600 --> 00:08:27,700 something where you identified that that Fido is a, is a strong 173 00:08:27,700 --> 00:08:29,600 authentication capability and that's the angle. 174 00:08:29,600 --> 00:08:32,900 You want to go, but you need to get that buy-in first as the 175 00:08:32,900 --> 00:08:34,900 first step. And then, from there, it's about 176 00:08:34,900 --> 00:08:37,299 making you making small iterations trying things out, 177 00:08:37,299 --> 00:08:39,500 testing things and and then moving forward and trying it. 178 00:08:39,500 --> 00:08:42,700 Again, you mentioned this multi your journey as well. 179 00:08:42,700 --> 00:08:45,500 Like what was the what was the aha moment? 180 00:08:45,500 --> 00:08:47,300 Where as I go? Yeah we should probably be 181 00:08:47,300 --> 00:08:49,600 looking at this vital thing and doing something about it. 182 00:08:49,600 --> 00:08:52,600 Was it that hackathon? Or, you know, what was the sort 183 00:08:52,600 --> 00:08:56,000 of like the The Genesis of like, oh, this is Wilbur. 184 00:08:56,400 --> 00:08:59,100 This is the future for authentication at Target. 185 00:08:59,200 --> 00:09:04,300 Yeah, I think the Genesis was the belief that Fido had legs, 186 00:09:04,300 --> 00:09:05,800 right? Was still very early, right? 187 00:09:05,800 --> 00:09:08,200 We didn't have broad industry support yet. 188 00:09:08,200 --> 00:09:11,500 At the time, you know, Apple wasn't yet a member of the Fido 189 00:09:11,500 --> 00:09:13,800 Alliance. So we knew that we were up 190 00:09:13,800 --> 00:09:16,700 against some challenges in terms of Enterprise adoption, right? 191 00:09:16,700 --> 00:09:19,400 We needed to make sure that we had a an environment that all of 192 00:09:19,400 --> 00:09:21,200 our users would be able to use, right? 193 00:09:21,200 --> 00:09:23,800 It wouldn't make sense to roll out the solution and then I have 194 00:09:23,800 --> 00:09:26,200 half your users who were on maybe that platform not be able 195 00:09:26,200 --> 00:09:28,300 to use it. So once we saw Apple get 196 00:09:28,300 --> 00:09:30,600 involved, that's really where we said this is real. 197 00:09:30,600 --> 00:09:32,500 Now, this is something that we can actually do. 198 00:09:33,000 --> 00:09:35,800 The hackathon was our sort of internal impetus to get started 199 00:09:36,400 --> 00:09:38,100 and that was just a trial like, let's try it. 200 00:09:38,100 --> 00:09:40,800 Let's, let's let's have our team's learn something new in a 201 00:09:40,808 --> 00:09:43,200 safe environment and so we just iterate it on that, sort of 202 00:09:43,208 --> 00:09:46,100 behind the scenes, until we have the opportunity to actually take 203 00:09:46,100 --> 00:09:49,200 it forward as a, as a platform for authentication. 204 00:09:49,800 --> 00:09:53,200 So Tom, is this something that you decided from a Grassroots 205 00:09:53,200 --> 00:09:55,800 perspective? Of that like, hey, we really 206 00:09:55,800 --> 00:09:58,600 need to do this. And then use salt it up to your 207 00:09:59,000 --> 00:10:01,500 management leadership team. Okay? 208 00:10:01,500 --> 00:10:05,900 So that is a really big Point. What was that, like, what top 209 00:10:05,900 --> 00:10:09,600 walk us through, you know, how you made that case, how you put 210 00:10:09,600 --> 00:10:13,600 it in the business terms that, you know, executive leadership 211 00:10:13,600 --> 00:10:18,200 got behind it and was willing to make the, I'm sure sizable 212 00:10:18,200 --> 00:10:21,900 investment to make this happen. Yeah, for us, it was really, our 213 00:10:21,900 --> 00:10:24,700 goal was to try and demonstrate that it Could be as easy as a 214 00:10:24,708 --> 00:10:27,100 consumer experience. So so everybody at that point 215 00:10:27,100 --> 00:10:30,500 had mobile devices right with either a touch ID or face ID 216 00:10:30,500 --> 00:10:32,400 like experience and what platform you're on. 217 00:10:32,700 --> 00:10:35,000 So something that we basically tried to demonstrate, we can do 218 00:10:35,000 --> 00:10:37,000 the same thing for the enterprise. 219 00:10:37,200 --> 00:10:39,500 We can do it at scale again because we had a very robust 220 00:10:39,500 --> 00:10:41,000 Enterprise authentication pattern. 221 00:10:41,400 --> 00:10:43,200 We could demonstrate that we could get all of our 222 00:10:43,200 --> 00:10:45,700 applications integrated with it. It was also something that we 223 00:10:45,700 --> 00:10:48,300 could use from a security perspective to highlight the 224 00:10:48,300 --> 00:10:51,900 security benefits of logging in with a biometric, right? 225 00:10:52,200 --> 00:10:55,500 The other final protocol. Under the covers as opposed to 226 00:10:55,500 --> 00:10:57,300 password. And so we all know the inherent 227 00:10:57,300 --> 00:10:59,200 weaknesses of passwords as an industry. 228 00:10:59,700 --> 00:11:02,400 The news is full of stories around them and we are 229 00:11:02,400 --> 00:11:05,500 continuing to look at ways to try and strengthen that 230 00:11:05,500 --> 00:11:08,000 authentication experience and make it easy for our users. 231 00:11:08,800 --> 00:11:11,400 We talk a lot about our users in the moment. 232 00:11:11,400 --> 00:11:13,900 They're logging into an application, not that they don't 233 00:11:13,900 --> 00:11:17,200 care about security but it's not top of Mind in that moment. 234 00:11:17,200 --> 00:11:19,500 It's about friction. It's about how easy was it, how 235 00:11:19,500 --> 00:11:21,400 fast can I do it? And we've been able to 236 00:11:21,408 --> 00:11:24,200 demonstrate through Biometrics that it is actually Easier to do 237 00:11:24,200 --> 00:11:27,400 that than to enter a password. Yeah, absolutely. 238 00:11:27,700 --> 00:11:31,400 So Tom not sure if you made it to the session yesterday, where 239 00:11:31,800 --> 00:11:38,600 is the one of the it leaders from City talked about, you 240 00:11:38,600 --> 00:11:42,200 know, they rolled out to like 200 million consumer users. 241 00:11:42,200 --> 00:11:44,800 Roll-off find out. Roll out roll. 242 00:11:44,800 --> 00:11:51,300 Yeah, and question came, why did you choose to do consumers 243 00:11:51,300 --> 00:11:54,900 before Enterprise and Khalid to summarizes answer. 244 00:11:54,900 --> 00:11:57,800 I think he said that, we thought it would be easier to do 245 00:11:57,800 --> 00:12:01,200 consumer than Enterprise, which is like a head-scratcher, right? 246 00:12:01,200 --> 00:12:04,100 Because on the scale of things, even though they have a lot of 247 00:12:04,100 --> 00:12:09,400 employees, if you have 200 million consumers, you started 248 00:12:09,400 --> 00:12:12,100 with the Enterprise. And what I think about the 249 00:12:12,100 --> 00:12:16,200 diversity of types of users, got your corporate users. 250 00:12:16,200 --> 00:12:20,900 You got your Warehouse users, you've got retail users. 251 00:12:20,900 --> 00:12:23,800 I'm sure some in between. And then on top of that, You've 252 00:12:23,800 --> 00:12:27,000 Got A diversity of application which I think was essentially 253 00:12:27,000 --> 00:12:29,400 City's point, right? It's like the internal users 254 00:12:29,400 --> 00:12:33,800 have 20 100 applications. Whereas consumers have one, two, 255 00:12:33,800 --> 00:12:38,800 maybe three so talk us through maybe some of that challenge, 256 00:12:38,800 --> 00:12:41,600 right. The diversity of user types and 257 00:12:41,900 --> 00:12:46,800 you know just how hard it must have been to roll out Fido to 258 00:12:47,200 --> 00:12:49,500 your Enterprise. Yeah. 259 00:12:49,500 --> 00:12:52,700 So for us I touch on an initially a little bit so from 260 00:12:52,900 --> 00:12:55,500 from a I'll use the application side first, right? 261 00:12:55,500 --> 00:12:59,400 For us, we have that that robust Enterprise authentication model. 262 00:12:59,600 --> 00:13:01,300 So we already had, even though we have hundreds of 263 00:13:01,308 --> 00:13:03,900 applications, there are already leveraging, our single sign-on 264 00:13:03,900 --> 00:13:05,600 solution. They're already integrated into 265 00:13:05,600 --> 00:13:08,700 our login patterns. So as we enabled Fido for our 266 00:13:08,700 --> 00:13:11,200 users, it was immediately available for all those 267 00:13:11,200 --> 00:13:13,800 applications as soon as we launched and every no 268 00:13:13,800 --> 00:13:16,300 application that launches in Target now, going forward that 269 00:13:16,300 --> 00:13:18,700 launches onto our platform automatically gets benefits as 270 00:13:18,700 --> 00:13:20,700 well. So we actually had situations 271 00:13:20,700 --> 00:13:23,400 where our users users were going back to the application. 272 00:13:23,500 --> 00:13:27,000 Occasionally and saying, why can't I log in with fingerprint 273 00:13:27,000 --> 00:13:29,000 ID? Why can't I log in like that? 274 00:13:29,200 --> 00:13:31,500 So that's actually been a partial driver for us to get 275 00:13:31,500 --> 00:13:34,100 more applications on-boarded into our pattern. 276 00:13:34,500 --> 00:13:37,400 If you think about our user population, we initially 277 00:13:37,400 --> 00:13:40,900 targeted, specifically, targeted through our campaigns rh-q 278 00:13:40,900 --> 00:13:44,200 population because we had control, the desktop, I knew 279 00:13:44,200 --> 00:13:47,100 they had a capable device, I had ways to reach them through 280 00:13:47,100 --> 00:13:49,500 email, through internal portals, things like that. 281 00:13:49,800 --> 00:13:54,000 So our Target population initially was our HQ users But 282 00:13:54,000 --> 00:13:56,500 we quickly realized as we've rolled out and as we've 283 00:13:56,500 --> 00:13:58,600 continued to roll out, now, almost a year and over a year 284 00:13:58,600 --> 00:14:02,400 and a half later, is that a significant number of our non HQ 285 00:14:02,400 --> 00:14:05,500 users have registered as well? And we attribute that to our 286 00:14:05,500 --> 00:14:08,600 communication strategy. We put together a very robust 287 00:14:08,600 --> 00:14:11,700 communication plan again, Direct Communications, targeted 288 00:14:11,700 --> 00:14:14,700 Communications campaigns in the like, but we also leverage and 289 00:14:14,700 --> 00:14:17,900 indirect methods. So, we put some of our messages 290 00:14:17,900 --> 00:14:20,900 across internal portal Pages. We partner with some of our 291 00:14:20,900 --> 00:14:24,500 larger application teams to help up them deliver our message on 292 00:14:24,500 --> 00:14:26,500 our behalf. So if your login to our HR 293 00:14:26,500 --> 00:14:29,500 application, we had an FAQ within our, a chap like within 294 00:14:29,500 --> 00:14:32,700 it which, in our within our HR applications, FAQ Pages, the 295 00:14:32,700 --> 00:14:36,000 suggest that those users register for our solution. 296 00:14:36,200 --> 00:14:40,200 So we've actually seen about 60% of our of our stores users, for 297 00:14:40,200 --> 00:14:44,200 example, register for our solution, the registering on 298 00:14:44,200 --> 00:14:47,300 personal devices, mobile devices, and personal laptops 299 00:14:47,300 --> 00:14:50,400 workstations, are otherwise, and they're primarily using it at 300 00:14:50,400 --> 00:14:53,300 using those devices access. Their HR information, They're 301 00:14:53,300 --> 00:14:55,900 paying benefits information. So we provided value for them. 302 00:14:56,200 --> 00:14:59,200 That we were able to that they were able to see and we like to 303 00:14:59,208 --> 00:15:02,800 say we Inspire them to go from a log and experience of your 304 00:15:02,800 --> 00:15:05,400 passwords to log experience via Biometrics. 305 00:15:05,800 --> 00:15:09,100 Yeah, I think that one of the things you're bringing up there 306 00:15:09,100 --> 00:15:13,500 is the importance of communication and then the other 307 00:15:13,500 --> 00:15:17,800 thing that I took away is that you've been investing in? 308 00:15:17,800 --> 00:15:21,400 I am over time, right? So you have some platforms that 309 00:15:21,400 --> 00:15:24,700 you're able to leverage I think You know, you can't just decide 310 00:15:24,700 --> 00:15:26,900 to jump right to Fido and expect that. 311 00:15:26,900 --> 00:15:28,800 It's going to be a snap of the fingers. 312 00:15:28,800 --> 00:15:31,900 If you don't have kind of those building blocks that you're able 313 00:15:31,900 --> 00:15:35,400 to plug into, or at least you could turn on Fido. 314 00:15:35,700 --> 00:15:40,900 But to get like hundreds of apps to all be on Fido overnight, 315 00:15:40,900 --> 00:15:42,500 right? You're leveraging that 316 00:15:42,700 --> 00:15:45,300 investment in that IDP that you already stood up. 317 00:15:45,400 --> 00:15:47,200 Correct. We had laid out our identity 318 00:15:47,200 --> 00:15:50,200 Vision about I joined Target about six and a half years ago 319 00:15:50,400 --> 00:15:52,800 and shortly after I joined we laid out our identity vision and 320 00:15:52,800 --> 00:15:55,400 we We built it on Three core, tenants. 321 00:15:55,900 --> 00:15:57,700 First, we want to simplify technology. 322 00:15:57,900 --> 00:16:02,400 We recognize that the the the Computing environment was moving 323 00:16:02,400 --> 00:16:04,200 to the cloud, devops things like that. 324 00:16:04,200 --> 00:16:06,600 So we want to be there. We wanted to enable our 325 00:16:06,600 --> 00:16:09,600 engineering and product teams to go deliver solutions for their 326 00:16:09,600 --> 00:16:12,400 customers for their users, without becoming a barrier or 327 00:16:12,400 --> 00:16:14,800 bottleneck. And so, that's the foundation 328 00:16:15,000 --> 00:16:17,400 cyber security, and identity can become those two things. 329 00:16:17,400 --> 00:16:20,200 If you're not careful. We also recognized early on 330 00:16:20,200 --> 00:16:21,200 that. We want to take advantage of 331 00:16:21,200 --> 00:16:22,900 Open Standards, right? I didn't want vendor. 332 00:16:23,100 --> 00:16:25,000 Lock in. And I want to make sure that had 333 00:16:25,000 --> 00:16:28,300 interoperability both within my ecosystem as the tools that I 334 00:16:28,300 --> 00:16:31,000 use, but also again, with the developers ecosystem. 335 00:16:31,000 --> 00:16:33,700 So, I want to make sure that we could, again, support them and 336 00:16:33,700 --> 00:16:35,300 help them do the things they need to do. 337 00:16:35,900 --> 00:16:40,600 The second tenet of our vision was focused around enhancing 338 00:16:40,600 --> 00:16:43,900 security, we all recognize the inherent path weaknesses of 339 00:16:43,900 --> 00:16:45,700 passwords and so we knew we want to get rid of them. 340 00:16:45,700 --> 00:16:48,300 We knew we needed a lever, strong authentication and fight. 341 00:16:48,300 --> 00:16:51,400 It was a perfect story to tell about how we could do that. 342 00:16:51,800 --> 00:16:53,000 And then finally, we wanted hands. 343 00:16:53,100 --> 00:16:55,400 Your experience, just the average user that consumer. 344 00:16:55,700 --> 00:16:58,100 And I made the comment before about, you know, easiest and 345 00:16:58,100 --> 00:17:00,300 fastest in the moment. That's what the team members 346 00:17:00,300 --> 00:17:02,900 want, when they're log. In order to do their jobs, they 347 00:17:02,900 --> 00:17:05,099 want to get it done as quickly and seamlessly as possible. 348 00:17:05,400 --> 00:17:07,700 So our goal was to enable productivity for them. 349 00:17:07,800 --> 00:17:10,500 But in a compliant secure way, I didn't want them to have to make 350 00:17:10,500 --> 00:17:13,200 the traditional trade off that people often make its those 351 00:17:13,200 --> 00:17:15,300 trade-offs that cause problems, right? 352 00:17:15,300 --> 00:17:17,800 From security perspective, from a compliance perspective and we 353 00:17:17,800 --> 00:17:20,099 want to make sure that they were leveraging, our solution right 354 00:17:20,099 --> 00:17:22,200 away. But to do, so in a compliant and 355 00:17:22,200 --> 00:17:25,300 secure way. What about feedback from users 356 00:17:25,300 --> 00:17:28,300 themselves? Have you gathered any sort of, 357 00:17:28,800 --> 00:17:33,300 you know, I always cringe right feedback from users might be - 358 00:17:33,300 --> 00:17:36,600 some might be positive. But what has been the response 359 00:17:36,600 --> 00:17:39,200 to sort of the rollout as it's gone so far? 360 00:17:39,400 --> 00:17:42,000 It's been it's been really really positive two responses. 361 00:17:42,200 --> 00:17:45,600 A lot of a lot of positive feedback we haven't yet hit full 362 00:17:45,600 --> 00:17:47,600 adoption and I don't know what full adoption looks like. 363 00:17:47,600 --> 00:17:50,100 I love to think that I'm gonna get the 100 adoption at some 364 00:17:50,100 --> 00:17:52,400 point. We realized during the pilots 365 00:17:52,400 --> 00:17:55,400 for example, we Number of Pilots over our journey, we realize 366 00:17:55,400 --> 00:17:58,200 during the pilots this was during the during the pandemic 367 00:17:58,200 --> 00:18:00,200 time. So all we had all shifted to a 368 00:18:00,500 --> 00:18:03,400 remote working environment and what we quickly realize, for 369 00:18:03,400 --> 00:18:07,000 example, is that a lot of our Engineers, for example, they 370 00:18:07,000 --> 00:18:09,300 were able to set up their multiple monitors dual monitors 371 00:18:09,300 --> 00:18:12,400 at home, external keyboards, external mics things like that. 372 00:18:12,600 --> 00:18:15,200 And what we learned is that their, their laptop is often off 373 00:18:15,200 --> 00:18:17,700 to the side of their desk often times with a lid, actually 374 00:18:17,700 --> 00:18:20,500 closed so that fingerprint sensor isn't even available to 375 00:18:20,500 --> 00:18:21,800 them. So you think about platform 376 00:18:21,800 --> 00:18:23,900 authenticators, right? They're not even able to 377 00:18:23,900 --> 00:18:26,200 authenticate the way we'd like them to. 378 00:18:26,400 --> 00:18:29,000 Now, there's no way that I can tell them change your desktop 379 00:18:29,000 --> 00:18:30,400 setup. I need you to do this for me. 380 00:18:30,700 --> 00:18:32,200 That's just not going to fly. I'm not very good. 381 00:18:32,200 --> 00:18:34,300 Even I'm going to entertain that type of a conversation. 382 00:18:34,700 --> 00:18:37,200 So we've been working with looking for ways to help them 383 00:18:37,900 --> 00:18:40,200 authenticate via biometric, enable security keys. 384 00:18:40,200 --> 00:18:43,700 For example, there's still some reaching challenges, perhaps 385 00:18:43,700 --> 00:18:46,200 depending on which side of the desk, the keyboard, the the 386 00:18:46,300 --> 00:18:48,400 laptops on, or where the keys actually plugged in. 387 00:18:48,600 --> 00:18:51,500 But we continue to look for ways to help enable them to be able 388 00:18:51,500 --> 00:18:54,100 to try and leverage the solution to Down the same productivity 389 00:18:54,100 --> 00:18:56,600 and Security benefits that everybody else is receiving 390 00:18:56,800 --> 00:19:00,300 since interesting pivoting. During this test right to say, 391 00:19:00,300 --> 00:19:01,900 okay I'm one of those people right. 392 00:19:01,900 --> 00:19:05,200 I generally have my laptop off to the side and it's closed and 393 00:19:05,900 --> 00:19:09,500 yeah I'm not getting Touch ID that but I do have things like 394 00:19:09,500 --> 00:19:11,700 Windows hello. If I have you know an IR camera 395 00:19:11,700 --> 00:19:14,100 that can kind of look at me from a distance, things like that. 396 00:19:14,100 --> 00:19:16,600 So there's certainly options around that. 397 00:19:16,600 --> 00:19:21,800 I guess what are some of the other patterns from a MFA 398 00:19:21,800 --> 00:19:23,600 perspective that you're You're deploying. 399 00:19:23,600 --> 00:19:27,200 You mentioned the security Keys, obviously, the hardware itself. 400 00:19:27,800 --> 00:19:30,200 Other other things that might be out there because I would 401 00:19:30,200 --> 00:19:33,700 imagine you probably are like the terrible analogy, like, 402 00:19:33,700 --> 00:19:38,300 Hawkeye from from The Avengers. He's got this, you know, Arrow 403 00:19:38,700 --> 00:19:40,700 quiver, full of a whole bunch of different arrows. 404 00:19:40,700 --> 00:19:43,300 They do different things and I think the modern I am program, 405 00:19:43,300 --> 00:19:47,000 probably has a whole bunch of different arrows to solve 406 00:19:47,000 --> 00:19:50,300 specific use cases or you know, things like that. 407 00:19:50,300 --> 00:19:52,900 I'm wondering as you were looking through. 408 00:19:53,100 --> 00:19:55,600 This process of deployment. You know what were the arrows 409 00:19:55,600 --> 00:19:57,700 that you were looking to kind of put in that quiver? 410 00:19:58,000 --> 00:20:01,200 Yeah so we've been on the multi-factor journey for years 411 00:20:01,200 --> 00:20:06,200 now as most companies have so so you know otps right we support 412 00:20:06,700 --> 00:20:11,800 we support what I'll call generically Legacy tokens, 413 00:20:11,800 --> 00:20:13,300 right? You all if you've been in the 414 00:20:13,308 --> 00:20:15,900 industry for any period of time, you likely had one on your 415 00:20:15,900 --> 00:20:17,600 keychain. If not have one right now, we 416 00:20:17,600 --> 00:20:19,400 continue to support those in environment. 417 00:20:19,500 --> 00:20:21,900 We also support OTP push as well. 418 00:20:22,100 --> 00:20:25,300 Not a Has it each of those are fishing, right subject to 419 00:20:25,300 --> 00:20:28,700 fishing susceptible to fishing so Fido gives us that fishing 420 00:20:28,700 --> 00:20:32,700 resistant capability but your comment we feel that they have 421 00:20:32,700 --> 00:20:36,600 different clickable use cases. And so what we try and do is we 422 00:20:36,600 --> 00:20:40,800 provide our support as many as we can and then we tailor their 423 00:20:41,200 --> 00:20:44,800 adoption or tailor their their consumption based on the data, 424 00:20:44,800 --> 00:20:47,200 the application being accessed. So we may not off, we may not 425 00:20:47,200 --> 00:20:49,700 allow you to authenticate with one of them into a certain 426 00:20:49,700 --> 00:20:52,900 application depending where you are in the network but that's 427 00:20:53,000 --> 00:20:54,400 Choice. You're making consciously as 428 00:20:54,400 --> 00:20:56,600 part of our data classification and application risk 429 00:20:56,600 --> 00:21:02,500 considerations but I was reading the synopsis of your talk. 430 00:21:02,800 --> 00:21:06,800 One of the things it said was that you had a goal of not 431 00:21:07,100 --> 00:21:10,000 having people call the help desk to get through this process, 432 00:21:10,000 --> 00:21:12,300 right? So I want to ask you kind of a 433 00:21:13,200 --> 00:21:16,400 further question on that. So most of expected that some 434 00:21:16,400 --> 00:21:18,200 people are going to call the help desk. 435 00:21:18,300 --> 00:21:23,600 What is it 2% 5% 10%. I want to know Like what was 436 00:21:23,600 --> 00:21:27,400 your estimate and then how close were you to actual? 437 00:21:27,900 --> 00:21:31,100 So we didn't have a specific numerical estimate when we 438 00:21:31,100 --> 00:21:33,400 started, we were concerned. We're absolutely concerned I 439 00:21:33,408 --> 00:21:35,800 didn't want to overrun the help desk and I didn't want to 440 00:21:35,800 --> 00:21:39,500 overrun my engineering team from a level 2 or level 3 escalation 441 00:21:39,500 --> 00:21:42,000 perspective. The more time that they would 442 00:21:42,000 --> 00:21:45,800 have to spend supporting our users is less time, they're 443 00:21:45,800 --> 00:21:47,600 working on the solution less than they were going to 444 00:21:47,600 --> 00:21:50,000 capability. So we were very interested early 445 00:21:50,000 --> 00:21:52,100 on about what it might look like. 446 00:21:52,500 --> 00:21:55,300 What else? Say, is that we've had my 447 00:21:55,300 --> 00:21:58,400 numbers? Well, less than 1% of support 448 00:21:58,400 --> 00:22:00,400 engagements coming from our user base. 449 00:22:01,100 --> 00:22:03,800 So very, very happy with what we've seen so far. 450 00:22:04,000 --> 00:22:07,900 It's been relatively easy to roll out relatively easy to 451 00:22:07,900 --> 00:22:11,800 adopt relatively easy to use when measured from a support 452 00:22:11,800 --> 00:22:13,800 perspective. It's been very very low support 453 00:22:13,800 --> 00:22:17,500 engagements overall, which is which is surprising, but also 454 00:22:17,500 --> 00:22:20,900 very, very happy to see it sounds like we're done here. 455 00:22:21,200 --> 00:22:24,300 Tom has solved. Roll out of Fido for every 456 00:22:24,300 --> 00:22:26,000 organization out there. Just talk to him. 457 00:22:26,000 --> 00:22:28,600 She needed help. I know, I mean, it sounds like 458 00:22:28,600 --> 00:22:33,300 it's going well, I wonder if the pessimist of me is thinking 459 00:22:33,300 --> 00:22:35,300 like, okay, when does the other shoe drop right? 460 00:22:35,300 --> 00:22:40,300 Do you have any sense of impending dread or Doom or do 461 00:22:40,300 --> 00:22:42,500 you feel pretty confident like? Yeah we're on the right track 462 00:22:42,500 --> 00:22:45,400 and it's just a matter of time and execution and sort of the 463 00:22:45,700 --> 00:22:48,400 rollout like are there are things on your radar that you 464 00:22:48,400 --> 00:22:52,500 think could be an issue if you don't get in front of it? 465 00:22:52,500 --> 00:22:53,800 Yeah. I think we're absolutely on the 466 00:22:53,808 --> 00:22:55,900 right track. We're happy with where we are. 467 00:22:56,000 --> 00:22:57,500 We continue to tweak our experience. 468 00:22:57,500 --> 00:23:00,400 We continue to tweak our messaging on our flows to try 469 00:23:00,400 --> 00:23:04,500 and encourage more. Adoption that desktop setup will 470 00:23:04,500 --> 00:23:06,200 be a struggle to get past, right? 471 00:23:06,200 --> 00:23:09,300 I still have users, some users. A small pocket of users. 472 00:23:09,500 --> 00:23:12,600 This will have privacy concerns. They're concerned that quote, 473 00:23:12,600 --> 00:23:15,100 unquote Target as access their Biometrics. 474 00:23:15,100 --> 00:23:18,100 And we trying to articulate that the same biometric that you, you 475 00:23:18,100 --> 00:23:20,900 likely use today, to unlock your phone, right? 476 00:23:20,900 --> 00:23:22,800 We're just using that same biometric in a different way. 477 00:23:22,900 --> 00:23:25,700 Yeah, but again, those are battles of their discussions. 478 00:23:25,700 --> 00:23:29,500 That I may not ever convince those users to move past, I 479 00:23:29,500 --> 00:23:32,400 would say the biggest thing that we're tracking right now is 480 00:23:32,400 --> 00:23:35,700 passkeys as we think about the people that do engage our 481 00:23:35,700 --> 00:23:41,000 support channels today, one of the top top engagement requests 482 00:23:41,000 --> 00:23:44,000 that we get are people that get a newer replacement device. 483 00:23:44,700 --> 00:23:47,000 So they don't realize immediately that they need to 484 00:23:47,000 --> 00:23:49,200 re-register their credential, you need to re-register for our 485 00:23:49,200 --> 00:23:51,200 program. And so that is something that 486 00:23:51,200 --> 00:23:53,900 we've got messing around. Now we try and I've fa Q's to 487 00:23:53,900 --> 00:23:56,400 try and eliminate the help desk all but it's definitely 488 00:23:56,400 --> 00:23:59,500 something that we see. I think pass keys are the answer 489 00:23:59,500 --> 00:24:02,700 there and I'm excited about the future of passkeys but as an 490 00:24:02,700 --> 00:24:05,000 Enterprise I think there's some considerations that we're all 491 00:24:05,000 --> 00:24:07,500 going to have to convey think about before you can actually 492 00:24:07,500 --> 00:24:10,200 take advantage of passkeys. One of them that I like the 493 00:24:10,200 --> 00:24:13,200 Highlight is what I call a philosophical one. 494 00:24:13,900 --> 00:24:16,900 What is your company's position on allowing corporate 495 00:24:16,900 --> 00:24:20,000 credentials, which is the pass key to be synced to a personal 496 00:24:20,000 --> 00:24:23,300 cloud or keychain account a second one that we talk about 497 00:24:23,300 --> 00:24:26,600 internally is what is your company's position on allowing 498 00:24:26,600 --> 00:24:29,700 access to corporate resources, corporate applications via 499 00:24:29,700 --> 00:24:32,500 non-corporate devices. So personal laptop, personal 500 00:24:32,500 --> 00:24:35,500 mobile devices, Etc. We have some of those at Target 501 00:24:35,700 --> 00:24:37,600 and so it's something that we're now considering as you think 502 00:24:37,600 --> 00:24:39,600 about. Passkeys, how do we want enable 503 00:24:39,600 --> 00:24:41,600 that? Well, I think the way people 504 00:24:41,600 --> 00:24:46,000 have work has changed, right? I think the blending of what is 505 00:24:46,000 --> 00:24:50,100 a personal device versus a work device has probably changed 506 00:24:50,100 --> 00:24:52,300 quite a bit over the last couple years, especially where, you 507 00:24:52,300 --> 00:24:54,700 know, of course, Always use their work computer to do 508 00:24:54,700 --> 00:24:59,200 things, sort of ancillary, but a lot of people now that they just 509 00:24:59,700 --> 00:25:02,000 there on a computer, it's just what, the, what's in front of 510 00:25:02,000 --> 00:25:04,300 them, they're using it. And I think that question of, 511 00:25:05,000 --> 00:25:10,100 you know, do you allow X on Y, is really so fundamental to the 512 00:25:10,100 --> 00:25:14,200 strategy because if the answer is yes or no, that opens up a 513 00:25:14,200 --> 00:25:16,100 branching decision, kind of beneath it, right? 514 00:25:16,100 --> 00:25:20,400 I think having the, you know, the the foresight to look at it 515 00:25:20,400 --> 00:25:22,000 and say, OK, these are the things that we need to answer 516 00:25:22,000 --> 00:25:25,100 before we even get get to like that's that's not a pass key 517 00:25:25,100 --> 00:25:26,900 question, right? That's do. 518 00:25:26,900 --> 00:25:30,700 We even a lot want this thing to be in our merits, why we call it 519 00:25:30,700 --> 00:25:32,000 a philosophical conversation, right? 520 00:25:32,000 --> 00:25:34,700 It goes back to what is your company's position around 521 00:25:34,700 --> 00:25:37,000 security or your network, or things like that. 522 00:25:37,400 --> 00:25:41,000 And then how do passkey support or not, as the case may be that 523 00:25:41,000 --> 00:25:44,300 position, then what do you need to do to change your position or 524 00:25:44,300 --> 00:25:46,400 not as the case may be and then what does that do? 525 00:25:46,400 --> 00:25:47,600 Then? Do your decision around. 526 00:25:47,600 --> 00:25:50,700 What passkeys will work for you. So it's a domino effect if you 527 00:25:50,700 --> 00:25:53,200 will but you have to have the conversations first and Stay in 528 00:25:53,200 --> 00:25:56,000 your positions. Now is one of the themes I heard 529 00:25:56,000 --> 00:26:00,700 about yesterday. Which was that the hackers the 530 00:26:00,700 --> 00:26:03,900 adversaries? Don't go after the happy path. 531 00:26:03,900 --> 00:26:07,400 They go after the unhappy path. It's the scenario. 532 00:26:07,400 --> 00:26:12,500 You brought up got a new device need to re-register and okay. 533 00:26:12,500 --> 00:26:15,800 Now that they put a weakness in that workflow that I can 534 00:26:15,800 --> 00:26:18,700 exploit. So, yeah, I think you're on the 535 00:26:18,700 --> 00:26:21,000 right track. I'm wondering what else coming 536 00:26:21,000 --> 00:26:24,100 from this conference kind of Resonated with you you talk 537 00:26:24,100 --> 00:26:29,500 about passkeys big thing, use usability and user experience. 538 00:26:29,900 --> 00:26:33,000 Ubiquity was something that's talked a lot about that piece. 539 00:26:33,000 --> 00:26:35,200 I just talked about with the adversaries going after the 540 00:26:35,200 --> 00:26:38,500 unhappy path. Were there any other key themes 541 00:26:38,500 --> 00:26:43,900 that resonate with you or maybe spark some new ideas outside of 542 00:26:43,900 --> 00:26:46,400 the final room? Specifically, I think cape has a 543 00:26:46,400 --> 00:26:50,600 lot of has a lot of opportunity. I know it's very early, but it's 544 00:26:50,600 --> 00:26:52,800 something that we're beginning to take a look at in terms. 545 00:26:52,900 --> 00:26:54,600 Of those signals. And then the Eventing off of 546 00:26:54,608 --> 00:26:57,500 those signals. We had any significant work or 547 00:26:57,500 --> 00:27:00,400 specific work yet. But as we think about 20-23, I 548 00:27:00,408 --> 00:27:02,500 hope to do a little bit of Investigation there. 549 00:27:02,600 --> 00:27:04,900 That may become a hackathon topic for next year. 550 00:27:04,900 --> 00:27:07,600 If you will, for us, as we just want to get our arms around and 551 00:27:07,600 --> 00:27:09,900 understand what it might do for us, how we might be able to 552 00:27:09,908 --> 00:27:11,600 leverage it. And then from there, we can 553 00:27:11,600 --> 00:27:14,000 determine if it's a priority and then if we have to sell it, you 554 00:27:14,008 --> 00:27:16,300 know, what's the business case, we want to wrap around it, to be 555 00:27:16,300 --> 00:27:18,300 able to make it a priority? So for people who aren't 556 00:27:18,300 --> 00:27:20,700 familiar with cape, can you kind of explain it to folks who are 557 00:27:20,700 --> 00:27:22,300 not neck-deep in this? Yeah. 558 00:27:22,800 --> 00:27:26,000 Way, I describe Cape at the highest level Cape begins to 559 00:27:26,000 --> 00:27:28,400 allow for a continuous authentication experience. 560 00:27:28,400 --> 00:27:31,000 So today if I log in and I'll use a SAS application. 561 00:27:31,000 --> 00:27:35,600 As my simple example, when I log into that application, I'm given 562 00:27:35,600 --> 00:27:37,400 a token, right? And there's nothing that the 563 00:27:37,400 --> 00:27:40,000 vendor knows, or the SAS provider knows about me at after 564 00:27:40,000 --> 00:27:42,300 that, receiving or issuing that sorry, issuing, that token to 565 00:27:42,300 --> 00:27:45,000 me. That says that token, maybe 566 00:27:45,000 --> 00:27:49,200 isn't as valid, or isn't as strong as it was before I should 567 00:27:49,200 --> 00:27:52,700 do something about it and say, okay provides the ability for an 568 00:27:52,700 --> 00:27:55,300 eye P like us to be able to send an event saying. 569 00:27:55,300 --> 00:27:59,000 Hey, something's changed about Tom's experiences, 570 00:27:59,000 --> 00:28:01,400 authentication experience, maybe, change networks. 571 00:28:01,400 --> 00:28:02,700 So maybe something else happened. 572 00:28:03,200 --> 00:28:05,700 You should consider doing something, so it's an event 573 00:28:05,700 --> 00:28:09,500 based system from the IDP and then the the RP would be able to 574 00:28:09,500 --> 00:28:12,900 do a response to that and a simple response maybe to revoke 575 00:28:12,900 --> 00:28:15,900 the token or to prompt for a secondary authentication at 576 00:28:15,908 --> 00:28:18,800 which point we come back to me the IDP and I would either allow 577 00:28:18,800 --> 00:28:21,000 or disallow that secondary authentication. 578 00:28:21,000 --> 00:28:24,200 For example, I think it's in testing trying to determine 579 00:28:24,200 --> 00:28:26,800 what's normal in those sort of scenario, especially as we're 580 00:28:26,800 --> 00:28:28,600 just talking about multiple devices, right? 581 00:28:28,800 --> 00:28:32,800 You might be flipping from your iPhone to a laptop to a tablet 582 00:28:32,800 --> 00:28:37,200 to a workstation, right? Whatever may be and trying to to 583 00:28:37,200 --> 00:28:41,200 take all those signals and not like drive yourself crazy with 584 00:28:41,300 --> 00:28:45,000 hey is this legitimate log on there or not right and and at 585 00:28:45,000 --> 00:28:47,200 the same time trying to balance that against the usability, 586 00:28:47,200 --> 00:28:48,000 right? On the user side? 587 00:28:48,000 --> 00:28:50,500 It's like okay you know if I'm constantly getting prompted for 588 00:28:50,508 --> 00:28:53,100 am, if a right weeds there's this thing called MFA Teague 589 00:28:53,100 --> 00:28:55,400 that's out there. You know, you get the Spam on 590 00:28:55,400 --> 00:28:57,600 your phone and says, yes. Yeah, you know, approve this 591 00:28:57,600 --> 00:29:01,200 and, you know, it's not you and people know it's not then and 592 00:29:01,200 --> 00:29:04,400 they will still click approve and that they just have to get 593 00:29:04,400 --> 00:29:08,200 it from, you know, wrong once and then and then it's game 594 00:29:08,200 --> 00:29:10,300 over. So, I think it's an interesting 595 00:29:10,300 --> 00:29:12,300 approach. I do want to say something about 596 00:29:12,300 --> 00:29:19,300 the MFA fatigue, so, I remember where I would get prompts from 597 00:29:19,400 --> 00:29:22,700 Microsoft authenticator saying, you're trying to login. 598 00:29:22,800 --> 00:29:26,500 And what happened was? My laptop session had timed out 599 00:29:26,500 --> 00:29:29,600 and it tried to re-authenticate me and it's going to push 600 00:29:29,600 --> 00:29:32,300 authentication on my phone. And I was in sitting at the 601 00:29:32,300 --> 00:29:38,100 laptop, it was in my office and you know, ultimately I would not 602 00:29:38,100 --> 00:29:41,200 approve it. But after that, it happens to 603 00:29:41,200 --> 00:29:43,500 many times. I kind of like thought, okay, 604 00:29:43,500 --> 00:29:45,800 that's what's happening but because I'm an information 605 00:29:45,800 --> 00:29:49,000 security. I'm going to be the wise person 606 00:29:49,000 --> 00:29:51,700 and not approve it, but yeah. I think the average person once 607 00:29:51,700 --> 00:29:54,200 they realize that that's Probably what happened. 608 00:29:54,500 --> 00:29:55,800 They're going to go ahead and approve it. 609 00:29:55,800 --> 00:29:59,300 They know anything about Exchange ActiveSync and such as 610 00:29:59,300 --> 00:30:01,300 like that. These are driving crazy. 611 00:30:01,300 --> 00:30:05,000 Even Jim knows, I am constantly trying out new devices so I 612 00:30:05,008 --> 00:30:09,000 would constantly be in the throes of re-registering devices 613 00:30:09,000 --> 00:30:11,800 to get you know work emails and calendars and things like that. 614 00:30:12,500 --> 00:30:14,300 But that is certainly a first world problem. 615 00:30:15,200 --> 00:30:16,800 What other conference thoughts that you have? 616 00:30:16,800 --> 00:30:19,800 You know it you're a presenter but you're also hearing it as an 617 00:30:19,800 --> 00:30:21,200 attending. I think this is the first one 618 00:30:21,200 --> 00:30:25,800 you've been here in person. For thoughts, comments 619 00:30:25,800 --> 00:30:28,900 recommendations. Like what should people who 620 00:30:28,900 --> 00:30:30,600 haven't been able to make it here in person? 621 00:30:30,600 --> 00:30:32,500 Like there are viewing it for your eyes. 622 00:30:32,500 --> 00:30:35,600 What would you put out there? I would say it's a great 623 00:30:35,600 --> 00:30:38,000 opportunity to learn what other people are doing, right? 624 00:30:38,000 --> 00:30:39,400 So again, we're here to share our story. 625 00:30:39,400 --> 00:30:41,700 There have been a number of companies like us that are 626 00:30:41,708 --> 00:30:44,700 telling their roll out, roll out stories and so it's a chance for 627 00:30:44,700 --> 00:30:47,300 you to learn. I talk about in my presentation 628 00:30:47,300 --> 00:30:50,300 about just inspiring, right? If you haven't yet started, 629 00:30:50,400 --> 00:30:53,400 maybe it's an inspiration to get started or if your Our early in 630 00:30:53,400 --> 00:30:55,200 your journey maybe it's an inspiration to go faster, 631 00:30:55,800 --> 00:30:58,000 everybody's got to make that decision for themselves but 632 00:30:58,000 --> 00:31:00,600 sharing our information. This is this is why we like to 633 00:31:00,600 --> 00:31:04,200 say that cybersecurity is a team sport and conferences like this 634 00:31:04,200 --> 00:31:06,300 are opportunities for all of us to go out and share with the 635 00:31:06,308 --> 00:31:09,700 community what we've done, some of our lessons learned, maybe to 636 00:31:09,700 --> 00:31:12,300 inspire, at least, to help somebody else to be able to go 637 00:31:12,300 --> 00:31:14,400 through their Journey. May be a little bit better and 638 00:31:14,400 --> 00:31:17,700 if we can get that moving and sort of like a domino effect, 639 00:31:17,700 --> 00:31:19,600 right? There's the people come on later 640 00:31:19,600 --> 00:31:21,200 in the journey. Hopefully, it's going to go 641 00:31:21,200 --> 00:31:23,700 much, much smoother for them. Because they'll learn from 642 00:31:23,700 --> 00:31:27,800 everybody else that went first. So let's end on a lighter note 643 00:31:27,800 --> 00:31:30,300 because I want you be able to get out and listen to whatever 644 00:31:30,300 --> 00:31:32,800 the next keynote is because the fact that the content has been 645 00:31:32,800 --> 00:31:38,500 Stellar here before we go, I like to get stupid and ask dumb 646 00:31:38,500 --> 00:31:41,300 questions and kind of bring things up a level and I've got 647 00:31:41,300 --> 00:31:44,700 something really stupid here for us to end the day on if animal, 648 00:31:45,500 --> 00:31:48,300 okay? If animals could talk, which 649 00:31:48,300 --> 00:31:52,200 would be the rudest animal. The rudest animal. 650 00:31:55,000 --> 00:31:59,400 I would say something like an ant and and I you're constantly 651 00:31:59,600 --> 00:32:03,400 at risk of getting stuff done. Your casa looking up around you 652 00:32:03,400 --> 00:32:05,500 at the feet coming down on you, right? 653 00:32:05,500 --> 00:32:07,500 If you imagine bumping into somebody on the on the road 654 00:32:07,500 --> 00:32:09,700 today, right? You give dirty looks right there 655 00:32:09,700 --> 00:32:13,000 may be words exchanged and has to do that all the time. 656 00:32:13,000 --> 00:32:16,700 And with with no almost no chance, right? 657 00:32:16,700 --> 00:32:19,100 Because of the side, the relative size of them versus the 658 00:32:19,100 --> 00:32:22,000 foot, coming at them. So I have to believe that an ant 659 00:32:22,000 --> 00:32:24,500 would be pretty snarky if they're constantly dodging. 660 00:32:24,700 --> 00:32:26,900 Eat all day. I guess I would be snarky to if 661 00:32:26,900 --> 00:32:28,900 I was dodging feet. Jill dry yourself. 662 00:32:28,900 --> 00:32:32,700 What is the rudest animal? So as Tom was devious 663 00:32:32,700 --> 00:32:36,100 explanation I thought well first we need a definition of rude 664 00:32:36,100 --> 00:32:40,500 because there's like rude like you know I will talk to you kind 665 00:32:40,500 --> 00:32:43,100 of rude and then there's just doing rude things. 666 00:32:43,200 --> 00:32:45,100 So not talk to you I was thinking okay? 667 00:32:45,100 --> 00:32:48,500 Maybe it would be an animal like a deer or something like that. 668 00:32:48,500 --> 00:32:52,300 That's afraid to be around people and but then I thought 669 00:32:52,300 --> 00:32:55,400 I'm going to go with my original answer which was Was the camel 670 00:32:55,600 --> 00:33:00,300 is new for like spitting like nasty stuff on on people and 671 00:33:00,300 --> 00:33:02,300 stuff. That's downright rude. 672 00:33:02,300 --> 00:33:04,500 So camel. All right, I'm going to go with 673 00:33:04,500 --> 00:33:07,400 the honey badger just because the honey badger doesn't care. 674 00:33:08,400 --> 00:33:10,400 It will go after anything for sure. 675 00:33:10,400 --> 00:33:14,000 So, you know, that's a shout-out to the famous internet video. 676 00:33:14,200 --> 00:33:16,200 Yes, that is. Video is not that the honey 677 00:33:16,200 --> 00:33:18,900 badger doesn't care if it gets a little more rude than that. 678 00:33:19,900 --> 00:33:22,700 Yeah, exactly. That's going to go with Tommy 679 00:33:22,700 --> 00:33:24,200 been a great sport. Join us here. 680 00:33:24,600 --> 00:33:27,000 Hopefully your you'll continue to conference and we'll see you 681 00:33:27,000 --> 00:33:29,900 out there as well. Any takeaways you want to leave 682 00:33:29,900 --> 00:33:31,600 his people before we wrap things up? 683 00:33:32,000 --> 00:33:35,700 No, no takeaways go out and try get started, do something. 684 00:33:35,700 --> 00:33:39,200 I think, I think the first step is taking taking the first step, 685 00:33:39,200 --> 00:33:41,800 right? So build your business case, do 686 00:33:41,800 --> 00:33:44,600 your valuations, build your understanding of what phyto is 687 00:33:44,600 --> 00:33:46,900 and whether or not it's going to work for you and then build your 688 00:33:46,900 --> 00:33:49,200 case from there. And hopefully, we'll see you on 689 00:33:49,200 --> 00:33:51,900 the on this talking circuit in a year or two and you can bring 690 00:33:51,900 --> 00:33:54,500 your story forward as well, right on will be chairing in. 691 00:33:54,600 --> 00:33:58,000 The understands for you stop talking and start doing is one 692 00:33:58,000 --> 00:34:00,700 of my favorite things. So all right with that, we're 693 00:34:00,700 --> 00:34:03,300 going to go ahead and leave it for this one. 694 00:34:03,700 --> 00:34:06,600 You can find us on the web at identity of the center.com. 695 00:34:06,600 --> 00:34:09,800 We're on Twitter. At idac podcast will have a link 696 00:34:09,800 --> 00:34:12,800 to Tom and his LinkedIn profile if you want to Ping him for 697 00:34:12,800 --> 00:34:16,400 ideas on how he was. So successful in solving all of 698 00:34:16,400 --> 00:34:19,600 targets of medication problems, not that I didn't just totally 699 00:34:19,600 --> 00:34:22,300 blow things up for you, Tom but sorry and with that we'll go 700 00:34:22,300 --> 00:34:24,199 ahead and leave it. So thanks everyone for listening 701 00:34:24,199 --> 00:34:26,100 and we'll Talk with everyone in the next one. 702 00:34:29,600 --> 00:34:32,500 Thanks for listening to the identity at the center podcast. 703 00:34:32,600 --> 00:34:34,900 If you like what you heard, don't forget to subscribe and 704 00:34:34,900 --> 00:34:37,699 visit us on the web and identity at the center.com.