While Jack went up to Minneapolis for the Jamf Nation User Conference, I stayed home and attended the Ping Identify 2018 show in San Francisco. My first solo conference!
It was definitely the smallest show I’ve attended so far, but that isn’t a negative—merely a new experience. Ping’s Identify shows are regional customer events (their next one is in New York on November 7), while their main conference is Identiverse. So, what did they cover?
Time for the enterprise to implement multi-factor authentication
Or, as Ping called it: MFA everywhere. They explained that while multi-factor authentication has been around for a while, it hasn’t been as widely embraced in the enterprises as hoped. While there are a variety of second factor options available (FIDO U2F, Touch ID, biometric, etc.), MFA use still remains low due to complexity of integration, and as an identity management vendor, Ping naturally hopes they can change that with their products, including PingAccess, PingID, and PingFederate.
It really feels like the whole IAM industry is on the same page, as we saw the same MFA push earlier this year at Google Cloud Next and Microsoft Ignite, for example. At this point, there is a mountain of evidence telling us that we should have more than just a password protecting employee accounts.
While MFA is a focus, Ping made it clear they’re also looking toward the next steps, mainly password-less login and “zero login.” CEO and founder Andre Durand explained that Ping’s roadmap is: MFA everywhere to start; then MFA plus “zero trust”; and then zero login. The goal is to bother the user as little as possible for authentication, with features like contextual, adaptive, and continuous access being used to ensure the user is the correct one and who they say they are.
Alongside Ping’s positioning for MFA everywhere, they announced a partnership with hardware security key maker Yubico. Ping will offer current and future PingID customers Yubikey 5 Series keys, available in two-packs. It’s not a surprise to see an IDaaS vendor team up with Yubico, especially as hardware keys are one of the most secure second factors around (check out my review of the Yubikey NFC). Yubico’s 5 Series keys also support password-less login, which fits in with Ping’s roadmap.
Lastly, Ping announced that PingID, their cloud-based MFA solution, grew from 8.3 million users in 2017 to 27.3 million in 2018—pretty impressive growth! So, while MFA isn’t as widely used as vendors want, it does appear to be getting better. PingID also now includes offline support as well as conditional access, and there is an SDK available to allow for native embedding into customer apps.
Ping excited about integrating AI/ML into more products
PingIntelligence for APIs, first announced at Identiverse in June, is now in general availability. While a lot of focus during the event was around MFA, improving API security was a definite second. Andre, as well as SVP of Intelligence Bernard Harguindeguy and Sarah Squire, Ping’s senior technical architect (who had homemade Yubikey earrings!), all expressed excitement regarding the integration of artificial intelligence and machine learning to better secure APIs.
Sarah and Bernard both mentioned that with PingIntelligence for APIs in GA, Ping’s AI/ML teams can now look to add new capabilities into their other products.
With AI/ML integration with their IDaaS products, Ping says it’ll require less complexity, money, and time for companies; IT won’t have to spend as much time creating rules and policies, for one. AI/ML can be used to observe each individual user, collecting and analyzing their unique signals and behavior patterns to help identify them, making it much easier to authenticate them—and prevent unauthorized access to someone able to get ahold of an employee’s password.
While definitely welcome, other vendors have already started adding these features to their products, especially with regards to behavioral-based features, like contextual access, so we’ll see if Ping uses AI/ML in a way that makes it clear it’s just not mentioned for the sake of it being the latest buzzword.
To get to zero login, for low-risk activities, Ping says it will require ML. With zero login, the goal is to understand a user’s normal behavior (for example, using a known device, with the user’s typical behavior, like typing patterns) and allow the user access without needing to actually login. This is meant for low-risk activities, such as making a purchase online and having it sent to your home or work address (something an attacker is unlikely to do).
Other odds and ends I learned from the conference
Here are some smaller additional things I learned from the conference that are worth noting.
- PingOne, Ping Identity’s IDaaS single sign-on solution, now supports more open standards, including OpenID Connect as well as SCIM for provisioning. Andre mentioned to me that he believes that support for SCIM should become an industry standard and that it’s currently in the same position SAML was just a couple years ago.
- While talking about this, Andre also said he came across an “SSO Wall of Shame,” which calls out companies that currently charge for SSO (some companies listed include Atlassian, Github, and Trello).
- Some of Ping’s biggest customers have just a few apps in the cloud, Andre told me. To illustrate this, he explained that one customer only had a single app in the cloud and by the end of 2019 planned to double that—at best. This just goes to show that IDaaS vendors need to offer hybrid solutions if targeting the enterprise. Other companies with identity products have announced similar hybrid solutions because on-prem apps still make sense for particular use cases and that isn’t changing. Google Cloud announced secure LDAP at Cloud Next in London just a couple weeks ago, a move to indicate that they will meet businesses where they’re at, even if wide cloud acceptance isn’t there yet.
It continues to be a battle to provide adequate protection around user identity, while also keeping the user experience from becoming too complex and obnoxious. Ping spent time at Identify saying they’re continuing to work on finding a good middle ground between the two.
For now, Ping is looking to push clients that already have ID management in place to start integrating MFA into that. Once employees and organizations are used to it, maybe it’ll be time to migrate to password-less login and zero trust, and move organizations beyond reliance on passwords.