BIO-key International, Inc. (BKYI) Earnings Call Transcript & Summary

All right. So I think we can go ahead and get started today. Thank you all for joining our first webinar of 2024. Cutting costs and boosting adoption with BIO-key Passkey:YOU. My name is Josh Cranin, I'm the Director of Brand and Content Strategy here at BIO-key. Just a few housekeeping items before I hand it over to your co-hosts for the day. [Operator Instructions]. This is being recorded. So we will be following up with everyone with a recorded copy of today's Webinar. If you like to share it around with any colleagues or watch it again, you can feel free to do so. So I'm going to pass it off right now to Jim Doherty and Kevin Wiser.

Thanks, Josh. Welcome, everyone. I'm excited to be one of your co-hosts for today's presentation. My name is Jim Doherty. I'm a Senior Sales Engineer here at BIO-key. And I have over 18 years' experience as a solutions engineer at several different technology companies, a few of which you can see there on the screen. Kevin?

Yes. My name is Kevin Wiser. I'm also excited to be here with you all. I'm a Senior Solutions Architect with BIO-key, and I've been with the company for about 5 years now, and I have about 20 years of experience in the overall IT space. And looking forward to talking to you guys about what's coming down the pipe here for us.

Great. So before we really sink our teeth into the passkeys, I just want to start with a quick overview on the company. So BIO-key has been doing business for around 30 years now, and we've got deep expertise in identity and access management. We've got some specific and patented technologies around biometric-based authentication which we'll get into today. And we have lots of happy and satisfied customers that we have won along the way through the years. So there will be more opportunity to get information on the company as well as our solution. We will provide some of that after the webinar so that you can look into things a bit further if you wish to do so. And we also wanted to give you a sense of who those customers are. So as you can see there, there's a lot of different logos representing several different verticals and industry types. And our customers really span a range of verticals. We've got many customers in the public sector as well, whether it be government, agencies, foreign country governments really we're a global company and many, many different shapes, sizes and types of customers are using our solutions. And this is just to give a little bit of an overview on our solutions, in particular, though, as I mentioned, we are in the identity and access management space, and PortalGuard is our flagship solution. Just with a quick glance there, you can see that it's a very comprehensive solution. I'm not going to read all of the different capabilities that we have. A couple of quick things to point out. We do offer a choice of deployment. So if need be, for regulation or compliance reasons, we can deploy on-prem, but we can also offer a identity-as-a-service solution. And then you can see there that we can integrate with other vendors in the states. So if you already have a solution, but you're looking to do some things maybe that, that solution doesn't provide natively, we can be that integrator of choice for you. Okay. So we thought we'd start out with a quote. And basically, this quote underscores the momentum, the promise and the hope that surrounds passkeys, right? So passkeys have a successful log-in rate, 4x higher than that of passwords. And 57% of Americans are expressing openness to adopting it. So on one hand, that's great news. Early returns are favorable. And we would hope that a passwordless solution, which is what passkey is would present a better experience than traditional passwords. Now this has been talked about for a long time, as I'm sure you can attest to. People have been waiting and hoping for a viable passwordless solution for a long time. And again, I think what this quote shows and underscores is that, this has actually -- we've come to a point where this is actually possible. And we're going to get into some of the reasons behind why we think this passwordless solution actually has the staying power that we've been waiting for. Great. So I just wanted to start with a quick overview. Some of you may know a little bit about passkeys. Some of you maybe knee deep into researching and testing passkeys in your environments, in your companies. But simply put, passkeys are just a replacement for passwords. So instead of typing in a password to get into your favorite website or app, you would use a passkey, right. And there's several major advantages to passkeys beyond just the obvious, right, of not having to use these passwords, which really have been albatrosses all these years for a lot of us. Number one, they are more secure solution. Now why is that? Well, it's because they're not based on a shared secret like passwords were. They're actually based on public key cryptography, right? So another way of saying that, that you may be more familiar with is it's choosing a public/private key pair. And that's what makes them fishing resistant, right. So that's a win for everyone. That's a win for consumers, employees, companies, governments, everyone benefits from having a fishing-resistant solution. Number two, it provides a superior user experience, right. So that drives adoption as we know. And in this case, there's a couple of major reasons why it's a better user experience. The obvious one, the user doesn't have to stop and type anything in, password, OTP. But the other benefit is it's a familiar user experience in many cases. So users can use their existing biometrics that they use, whether it be Touch ID, Face ID, Android fingerprint, Windows Hello. Things that they're are using on a daily basis to unlock their devices. They can now use that to log into their apps and their websites. And number three, the other key benefit we expect to see with passkeys is a lowering of -- cost savings. So one of the prime examples of the many ancillary costs that we see with stolen or forgotten passwords is the help desk, right. So the help desk is this cost center, there's overhead associated with the help desk function and more than 50% of tickets are commonly related to password reset or stolen passwords, right. So by definition, if we're not using passwords anymore, we should see a great reduction in the amount of tickets that have to be serviced by the help desk and therefore, the cost associated with those passwords. So it's interesting to think about where passkeys fit. Meaning, are these revolutionary? Are these brand new? Is this a whole new suite of technologies that I'm going to have to learn? And the good news is that it's not. It's much more evolutionary than revolutionary. So -- if you're familiar with some of the authentication standards out there today that we're currently using, things like FIDO2: Web Authen. These have laid the groundwork for passkeys. These are the technologies under the covers of passkeys, if you will. So this is good for everyone involved because we're already familiar really with the core plumbing and the core year experience of passkeys. This is going to ease the transition. This is going to benefit anyone involved, right? And that could be app developers. That could be the users themselves. That could be IT and infrastructure people. Having some familiarity with this new standard, we think will be a huge benefit. Now there are a couple of specific enhancements worth pointing out with passkeys. Number one is, enhanced security. So passkeys are actually much more tightly scoped than passwords ever were, right. I steal your password, that password might be used by 10, 20, 30 different apps. And there's really nothing to prevent me from logging into each of those apps with that one password. Passkeys work differently. So 1 passkey is tied to a specific relying party or RP. You can think of RP as a service or a website. So even if somehow that passkey were going to be compromised, that attacker can only use that to get into one site, one specific domain, one specific site. There's also some flexibility that passkeys present. So we have this concept now of syncable passkeys. So passkeys can be automatically enrolled across multiple devices in particular ecosystem. So if I'm, let's say, an iOS user, I have an iPhone and I have a MacBook. Using the Apple ID mechanism in that ecosystem, I can get that passkey to all of the devices within that ecosystem very, very easily so that I don't have to go through an enrollment process on each device. Same goes for Google, same goes from Microsoft. There's also some benefits when it comes to account recovery, again, using that same type of synced passkey paradigm. And then we also have device-bound passkeys. And these, you may consider these more secure in that they can't leave a device. And so perhaps for enterprises and organizations, this might be something that you would consider. But again, you've got the flexibility here to decide for yourself, which to use and in which use case. Next slide, Josh. Okay. So now as I went through my education with passkeys and research, it presented itself as a question, who's behind this? Because we've seen many different attempts at a passwordless approach before, different vendors have had different solutions, and they all worked a little differently. The biggest impediment to mass adoption is that everybody had their own way of doing it. Everybody wanted their way of doing things to win to be the standard. Well, the good news about passkeys is, it's being driven by the big boys of the industry, the major platform providers, all want this, right. So Google, Microsoft and Apple, in particular. They are the ones who are natively supporting passkeys, which is really fueling everything. So there's a couple of screenshots there, and you can see that if you want to log into Google these days, they're making an option for you to log in using a passkey. In fact, they recently made it the default method. So if you wanted to log into your Google account, you can go ahead and use a FIDO credential, whatever that might be. It could be a security key, it could be a biometric. So this is happening. There's a lot of momentum behind it. The FIDO Alliance is also a big benefactor here as well. But really, the main reason that this is happening, and we think is going to happen this time is because of the support of these industry titans. And the fact that they're supporting it in their technologies, there was a statistic I saw that something like 98% of all the devices in the world will be able to support Passkeys, which is just a staggering number when you think about it. Next slide, please. Okay. So one of the next things that we think about when we talk to customers is what type of workflows do you have? What are your use cases that you're trying to solve? And obviously, number one there, passwordless workflows and anyone who is in need or wants a passwordless workflow would benefit from passkey approach. Doctors, for example, notorious for not wanting to take any added step to log in. They want to be helping patients. They -- time is money, all of those things come into play. So really good solution for passwordless use cases. And then shared workstations as well, and Kevin is going to get into this a little bit later in the presentation, but there are specific challenges around a shared pool of workstations where users can roam from one to the other. And so we're going to talk about how passkeys can be leveraged in that situation as well. And then lastly, they're Zero Trust, right. This is another buzzword whose time has come. I would venture to say because we've been hearing about Zero Trust for a long, long time. And one of the major tenets of Zero Trust is that we need to consider additional context before we authenticate a user, right. It's not just based on the network they're on. It's not just on the authenticators they use. It's got to be on things like the device they're using and the trustworthiness of that device, the security posture of that device and a whole other things. But by definition with passkeys, the device is part of the authentication experience. So that helps people get a little bit further down the road on their Zero Trust journey. Which brings us to our [indiscernible].

Yes. So our first of 2 polls of the day. So just for one moment. The presentation will be off the screen and the poll will be on all of yours, one second. So you should all be seeing the poll screen now, is your organization planning to implement passkey authentication in 2024? [Voting]

Folks it is time to get some votes in. I wonder how [indiscernible] they go.

That's going to be interesting.

We don't get to vote, right, Josh?

We do not. Unfortunately.

We can be shifting the spread here because, I mean, our organization has already implemented.

Let's give about 20, 30 more seconds and then we'll share the results.

I'll stick with either Jeopardy theme here, Josh.

Next webinar.

Maybe. Keep our fingers crossed. I like The Price is Right, theme, it's pretty catchy.

All right. I am going to go ahead and close the poll and share the results. All right. 43%, Yes. 57%, no.

Yes. So we've got work cut out for us here. Jim? We got a lot of people to convince still.

Yes. I'll be honest, though, that's not bad. I wasn't sure exactly where we might land, but that's a significant population. So encouraging.

All right. The result -- one moment. Excuse me, I'm just experiencing a slight technical difficulty, since as the presentation was -- There we go.

Even Bill Gates had a Blue Screen of Death, Josh. so happen to anyone.

That has got to be [ Jim Puhl's ] fault though.

All right. Apologies were back. Okay. Back to you, guys.

Yes. So the question though becomes pretty quickly. This all sounds really great. And this is something we wanted to do and passwordless sounds fantastic. But is this going to work in every scenario for us across the board, all my users, is this really truly a panacea? Is it a one-stop shop, one-size-fits-all kind of solution? And the answer is the conventional approach to this is no, honestly, it's good. And it gets much closer to the market than we've been in the last probably 5 or 10 years. But it's -- there's some challenges around it, and we're going to talk about those and some ways that we propose to solve those challenges or enhance the challenges to get us closer to the bull's eye, which is a true passwordless ecosystem for our enterprise or our CIAM customers where they can just authenticate with something really simple. And they don't have to remember 10,000 passwords or keep a password manager handy to keep all those stored for them or that kind of thing. So If we could show the next slide here, please? So the traditional or conventional approach that last slide kind of alluded to, typically involved either one or two things. A hardware token like a YubiKey or Titan Key as Google likes to call them. I don't know if Apple has their own nomenclature for them. But they're all 502-based authenticators, right, with the half of a crypto key in them and you plug them into your USB port and you touch a button or whatever or maybe even scan a fingerprint on them and they unlock their part of the equation and that handed off to the server. And the magic happens behind the scenes and my user is log in, right? Or the other half of it is you use a mobile phone with either an app or maybe an app plus a, authenticator built in, so maybe it relies on like Touch ID on an Apple device or the Android equivalent or that sort of thing. But there's challenges for those. So one of those challenges when we talked about like YubiKeys are high costs, right? We have a slide here in a couple of minutes we're going to show that kind of illustrates like how expensive that potentially could be. But you need at least one token per user that's going to be using this passwordless future that we're talking about. You'll need probably a handful, at least of backup tokens, maybe not for every single user, but you'll have some amount of loss or breakage that you'll need to account for, right? Because you don't want to be stuck in a situation where you're just onboarded 100 new users and you don't have hardware for them. So that wouldn't be fun. And so you've got to have inventory on hand to cover those kind of cases or somebody goes to a conference and a group of users had too much fun there, and they left all their -- the airlines lost their luggage. Maybe they're flying on a 737 MAX and all the luggage goes out the door or something, who knows? But if I'm the IT admin, I would have to account for losses and so I need hardware on top of that. So if I'm looking at a cost of $30, $40, $70 a token, depending on what technologies are in them, and I need 1,000 of those, that is not an insignificant outlay, right? So costs come into play. Even if I'm looking at users utilizing their own cell phones, right? BYOD kind of environment, depending on my state or country, I may have to pay for them -- for their cell phone or some snippet for their cellphone for them to leverage it for work, right? That's a common thing in California. I believe there are some countries in Europe that are starting to go that direction, if I'm not mistaken. So that's a real thing that happens. And so that's also a cost outlay I have to be aware of and thinking about when I'm writing my budget each year. Compatibility. So some tokens may not work on some devices. If I don't have like a lightning or USB-C-enabled token, then my user can't use it on their cellphone, right. And maybe they can't use it on their tablets. If that's what they use. So those kind of compatibility issues are something that have to be tackled as well. Do I have a fallback option available to me if I have a user that maybe is special maybe is a word or just kind of outside the box, my 1% users, right? Like 99% of my users will do X, but have those 1% of users or the 5% of users that are going to do Y and Z, maybe they're board members, maybe they're field employees, right, if I'm in a manufacturing trade or I'm in the energy industry, I've like lined in that may need to run reports on a tablet or that kind of thing. So I need to be thinking about my 1% by 5% of users that don't fit in kind of the standard box of the rest of my user base. User experience, right? So they may have to wait for a token to generate a new code or sync with the system. Do they complain about that? I know like doctors, police officers, they're -- they don't want to wait for my system to catch up for security. All they want is something simple. I know at least in the past a lot of police departments, health care, safety in general, you may have shared log ins, right? And so now I'm bringing in something where each user has their individual identity, and that sounds really good to me in management from an IT securities perspective and IT administration perspective. But for my users, they say, [indiscernible], isn't as good as what I used to have, I just used to log in with examroom 1 and we don't need a password, and I didn't have to worry about any of this. And now I'm waiting for a number to appear or rotate or this thing isn't working for me. So that experience for the user, when it shifts, depending on my user base, they may have complaints, and I may have to answer to those. And then, of course, there's just kind of security issues around even a hardware token or a phone where, if gets lost or someone shares it and shares their PIN alongside it. There was a story that our Chief Legal Officer, he loves to tell and he's better at remembering the particulars of it, but it was a call center in India. They had implemented their contract agency, right, doing a help desk and the company that they were contracted for had implemented FIDO2 tokens for all their users to authenticate to their systems before they sign into their contract company systems to get authenticated. And what they did in the office was they just took like the tokens and left them all in a big pile and users would just grab them and sign in with them or whatever because it was easier for them than managing their turnover, right? And when an audit came down from the contracting company and said, "Hey, what the heck", they said, "Well, this was easier to implement, nothing in the contract say we couldn't do it." So sometimes there is not just accidental bending of the rules. There's willful or intentional bending of the rules because someone thinks they know better or that it works better or that it implements better than the governing group and the contracted company thinks -- these just think they know better, right? So if we could shift to the next slide. And then there's some challenges around, like phone apps, right? This slides says phone can work for desk worker employees or on manufacturing floors. And the reason it says can is there are scenarios where that doesn't work at all. So you look at clean desktop, again in the call center where they're not allowed to have a phone, why wouldn't you want that? Well, because of data security or privacy concerns, someone may be distracted or much worse, maybe they're taking screenshots of proprietary business information that customer's account number or their credit line or something along those lines. And then they take them home and send them to them. I know, me personally, I try to be very secure in my digital life and in my physical life as well. But like I had my American Express Card stolen. I don't really know where they got it from. I suspect it was a skimmer but I got to charge on my account that from -- and AmEx called me up and said, did you buy a $2 Coca-Cola at a vending machine in several states away, and I said, no, I did not. And they said, "Oh, well, that's usually the first step to verifying a stolen card is they'll run it against something like that." And then if it's successful, then they go and start making the big purchases, right? So they had to issue me a new card and everything. So even somebody like me tries to stay pretty conscious of this stuff and on top of it, can get thought to speak without thinking about it too much. And of course, that's a credit card, but you have to think about, again, your tokens, your phones, that kind of thing that you're using to authenticate. The bad guys are really good at what they do, right? If they weren't good at it, it wouldn't be profitable for them. So these are things we have to think about. There's also safety concerns, right? In health care, maybe I don't want a doctor carrying around a cell phone with them into various exam rooms. They touch it with their gloves or something and they're spending a communicable disease or something. In manufacturing, somebody is looking at their phone and too close to a piece of rotating machinery and their shirt sleeve gets caught or that kind of thing. I mean who knows, I don't mean to just make up morbid scenarios, but there's reasons why these policies are in place and why certain form factors or authenticators may not work in certain scenarios. Shared kiosks. As you see here, workstations, desktops, laptops even that are shared, maybe in a loaner scenario. We don't want to use those as part of the authentication chain because they're shared, right? So if we're trying to get to a passwordless unique digital identity for all of our users for security and convenience than having them share those form factors going back again to those like tokens that were just left in a pile is not good security hygiene, right? So to go to the next slide, I want to show you some of the numbers we were talking about earlier when it comes to hardware tokens. And Jim, if you wouldn't mind, like you have a lot of experience in this space, especially when it comes to hardware tokens. Would you mind kind of talk about this for a second?

Sure. Sure. So we sort of stumbled across this page. This is taken directly from Yubico's website and what it is as a cost calculator. And what they're doing is they're trying to pivot from one type of service to a subscription service. So what they're trying to do is basically say, hey, over 3 years, we're going to charge you this much per key, but we're also going to build in a replacement factor of maybe 20% as it says there, right? Because we just know there are issues getting these keys back after people leave the company. We know they're going to lose them, they're going to break them, as Kevin was alluding to. So really, the goal of it was to point out what a good value their subscription service is. And what floored us was, frankly, just the cost related to using hardware keys like this as a mainstream credential option. The numbers are staggering in the hundreds of thousands of dollars once you get up into the thousands of keys -- again, using that formula of you're going to probably want to have at least two per person, and there's going to be attrition over the course of that term, that 3 years. And you can actually go to this site and put in different numbers and kind of gauge what that might look like in your organizations. But again, as cost-effective mainstream adoption for use with passkeys. Just be aware that the cost might not be what you were thinking they would be.

No, it's an excellent point. It's kind of funny to me, Jim, too, because like this is a little bit like the Rent-A-Center model, right? Like yes, you want hardware, but you're going to pay us once a month for the hardware. It's really kind of an interesting shift in the potential dynamic. And I get it, everybody wants ARR, right, like the annual recurring revenue. But hypothetically going to buy these things because I'm going to hold onto them, I'm going to inventory them, and it's going to be a onetime capital expenditure, right, not an ongoing service for me. And more power too say going make money this way, though, right? So -- but it's interesting, it's a really interesting calculator. And if you look at it, 5,000 users is -- it's a good size organization, but it's not a huge organization, right? And you're anything smaller than that, your costs are going to go up, right, because this is a pretty good break you're getting for 5,000 users, air quotes, a pretty good break. When you go to like subscription basis according to them. But if you're at like 300 users or 500 users, you're going to see a difference in price per user per month and per key, and it's just something to kind of be cognizant of. And we'll shift on to the next slide here because I want to talk a little bit about what we think we can do a little bit differently for you guys. So what we're bringing to market is a technology that we call Passkey:YOU. And so it's a passkey that works without a phone, without a token and doesn't require a password, right? And that's kind of the key part of the passkey, scenarios not being passwordless, but no phones or no tokens. Instead, we're offering our biometric technology, industry leaders in biometrics to begin with, layered on top of the passkey experience. So a fingerprint reader attached or potentially even one built into your device, we can use to authenticate your user using what we call identity bound by biometrics. And the trick to that is that your users enrollments, right? They enroll once for their authentication anywhere they go, any device they use. With our technology implemented will allow them to authenticate there. They don't need to reenroll. They don't need to be reenroll two, four, five or six different machines or have multiple tokens on hand or call back to IT to get reissued a token. Anywhere that they've -- and once they've enrolled, anywhere that they go that they authenticate against our technology, they'll be authenticated passwordlessly and sign-in. And so it's really exciting for us because we think we can really bridge the gap here that we've kind of tried to identify for you previously. So the gap is, okay, you're going to be stuck with tokens, you're going to be stuck using your phone. We don't have to do that. And that is kind of a key change. Can we move to the next slide? So IBB, like I said, is how our centrally managed authentication engine, and we have a bunch of patented technology up into this. But as you see here, we can do things like a palm scan. We have a facial scan technology. Bread and butter is our fingerprint scanning technology. But basically, like once you have enrolled, we store your data and that can either be in the cloud or on-prem. So if it's on-prem, you own that data, right? It's completely in your own environment, on your own hardware, virtual hardware, you own that entire process. In the cloud, you still own that data, but we're storing it for you in AWS, one of the most secured providers in the world. But we encrypt that data and it's not reversible. It's an irreversible encryption for your fingerprint data. I shouldn't phrase it that way. What I mean to say is that you can't take the fingerprint data or the biometric data that we encrypt and turn it back into an image of someone's fingerprint or their palm print or their face or that kind of thing. The way that we handle this proprietarily allows us to prevent that from happening. And so when you store your data with BIO-key, your biometric data, essentially stored and users can authenticate anywhere that the technology is available. So anywhere that they've got a reader installed or they are using their mobile phone, they can do that like a palm scan as well. That data is securely protected and gives your users additional security but laid in with passkey or layered in with passkey, it gives some additional simplicity, right, to authenticate. And so if we can go to the -- yes, thank you, sir. So what we're doing here, like I said, is we're trying to bring this stuff together, right. So there are gaps in this. Like if you look at passkeys implementation today, it's not implemented everywhere yet, right. Like in your provider, your service, your applications or whatever, have to implement FIDO2 and passkeys in order for that to work. Now the big players are doing that, which is good. That makes it like as Jim was alluding to earlier, it enhances our confidence that this will be kind of the next step in our true passwordless future. But everybody has to implement that and turn it on. And so that's one of those kind of gaps there. So your provider has enabled it, you can't have it, right? Like you can't have it on that particular technology or that service. And so we can do this in a couple of different ways. We store your data, like I said, securely, and we can then use that data with a passkey and sign into like O365 or Google , as you saw, without an IdP. That's an identity provider, by the way, or we can be your IdP, your identity provider. And we can connect to services that don't currently implement passkeys, but we can bridge that divide for you. Or we can be -- we can also support apps that don't even support any sort of single sign-on or passkey protocol. We have a feature that we call SSO Concierge, which allows us to provide enhanced authentication to apps that don't even support any type of advanced authentication at all. So we're trying to bridge this stuff together to where it's all kind of in line. So it can't be handed over, shared, forgotten or stolen. You control the data, you control the enrollment, it's affordable and it's phishing-resistant. So go to the next slide. So like I said, there's a couple of different ways to attain this with biometrics. You could do a fingerprint, you could do facial or you could do palm scan. I personally use the fingerprint or the palm scan almost all the time. I find the fingerprint really easy to use. I have a reader here in my office that I use all the time. And when I'm on the go, I just scan my palm to authenticate and I'm signed in, and it's really easy to do. And if you haven't seen our palm scanning technology, we'd be happy to do a demo for that, for you. It's really cool stuff. You just have a little app install in your phone, you scan your palm and then ask you like to scan your palm a couple of times to enroll. And then once you go to authenticate, you just get a notification to your phone. You bring your palm closer to the camera, it uses your phone's camera, it's all built in. And that authenticates me biometrically to any of my apps that either use a passkeys or that are linked to our identity provider, in our PortalGuard IdP. So it's really easy. It's really simple to use. The tech here, I wish we had a video of it or something. But if you're looking at like the palm scan, you can see far close, perfect. So there's a little bar that goes around that shows you like, hey, you need to bring your hand closer or further away so we can get that perfect scan of your hand and authenticate you, but it's really very, very intuitive to use. And generally, when most people see it for the first time, there just like, "Wow, this is really cool." So it's exciting. And like I said, I use it every single day. So that brings us back to this Passkey:You technology. And I think I jumped the gun a little bit there, Josh, I apologize. I was so excited about talking about it. But again, this product -- this new offering allows you to do passkey authentication, utilizing nothing but your fingerprint. Doesn't require a phone, doesn't require a token, no problems. It's easy, it's secure and it's portable, right? Again, so anywhere that I go that has -- either have my phone with me or I have a fingerprint scanner or I can have a facial scan, anywhere I go once I'm enrolled, I can just go and authenticate. And it's really simple. It's really cool. And we're just so excited to bring this to market and share it with our customers and future customers. And I can't stop talking about it. But can we go to the poll.

Yes. So I'm going to launch the second and final poll of the day. What method do you use to unlock your device? [Voting]

So I guess I already kept my hand here. I use my fingerprint or my palm scan.

I'll put my money on facial.

Yes, facial or touch would be my guesses.

Yes. Problem with Face ID, firstly really on my Android device is like I live in a cold climate now. We just moved up here recently. And like if I've got like what I call it like a face gaitor on or if I've grown my beard too long that stuff, I find it doesn't like account for that as quickly, and I have to reenroll my face or that kind of thing. So at least with my fingerprint, like don't have that problem.

They make those awesome gloves now when that you can wear, that you can use your phone with.

Right. Doesn't -- I don't believe those work with the fingerprint though.

Oh, they don't? You just have to touching screen.

Yes. Yes, it's a capacitive. It passes through the current, but it doesn't authenticate fingerprint. If we get any other answers we need to ask. Which ones. Yes. I was totally curious. Maybe someone uses -- oh we got pattern on there, right? I use to use pattern on my Android all the time.

Iris or retina, right, maybe?

Voice, for instance.

Voice, yes.

I don't know.

All right. I mean I'll go ahead and close it and share the results. Facial came first.

Is that a single pattern? Don't have any Android users on the call, I think.

No Android users. All right. Should we wrap up and go back to presentation?

Yes, absolutely. Let's go.

All right.

So we talked a lot about this already, but we think there's some really like key advantages here, right? You control the enrollment. It can't be handed over, shared, forgotten or stolen. It's phishing-resistant, which is good, right? The phishing is a key concern for a lot of us these days. And we can cut your life cycle costs by as much as 50% to 70% compared to hardware tokens. It's a passwordless solution that doesn't require a phone or hardware tokens. Now again, you can use layer in with PortalGuard, our identity provider, you can leverage some of those other technologies if you want to. So one of the cool things about PortalGuard as a stack or a whole is that allows us to have a multiheaded approach, right? So I can have some groups of users that have just Passkeys. I have some users that use tokens and maybe alternately, they have a backup method of fingerprint or they use fingerprint as a primary or they use palm scan as their primary and a token as backup. But what's really cool about our integrated solutions is that we have so many different ways to service, again, getting back to kind of the 5% or the 1% of the users, the odd ducks, I don't even want to call them weirdos, right, but they have different needs than the rest of my user base. We have a solution for all of them. And it's just a matter of implementing the right technologies for the right users at the right time to suit their needs and IT's vision, and we can do that for you. And so it's a really exciting time to work for BIO-key and hopefully to be a BIO-key customer or a future BIO-key customer because this is just one more arrow in the quiver to get us to the bull's eye of a passwordless future. And so I kind of like to bring this all together at the end here, we wanted to include a diagram of like how this works. And I don't want to like read through every single item here. You can do that. We're going to provide you with our PowerPoint and you can go through and look at this on your own. And we also have a really cool handout that Josh and his team have been working on that covers all this as well and some really cool details, a white paper. But basically, what happens is you go to a site that's enabled for passkeys, right? And the user will see a login button and that kind of goes back to you saw earlier an example with Microsoft or Google, where they see that there first, right? And so the user or the when they see that passkey authentication, they'll typically click a button or something to initiate the process. And then our WEB-key server, which is our biometric matching engine, will be notified by the server, whatever relying party that is our key, will notify our server and at the begin the connection to the client that the user needs to start their authentication -- their biometric authentication. And so there'll be a pop-up on screen that asks them to authenticate. And so they'll place their finger on the fingerprint reader or if they're using their phone, right, they'll get a notification to begin the palm scan, and they'll start that process. And they'll go ahead and scan their finger, they'll scan their palm. And that data is then sent securely up to the WEB-key server to do a match. And our WEB-key engine is very, very, very fast. And again, we use proprietary patented processes and algorithms to handle that matching. But the ultimate goal is that within a few milliseconds, we have matched the user's biometric identity to something that was pre-enrolled for them, right? And then we hand that back over to the server, the relying party, the RP to let them know, hey, BIO-key has matched this user, they're ready to authenticate, go ahead and sign them in. And so we unlock the other half of the private public key chain and the server that the relying part of the app, they're trying to sit into Microsoft or Google or whatever, we'll go ahead and finish the log on from there. And so it's really simple. There's very little for the user to do. They click a button, they scan their palm, they scan their finger, they scan their face. And then everything else happens in the background and within a few more milliseconds, they're authenticated and signed into whatever it is that they were trying to access to begin with. So it's a really seamless process for the users. It's a very quick process. It's very secure. And it's simple. So we're really excited again to bring this technology forward. And again, you can do Passkey:YOU without PortalGuard, our identity provider engine. You can do it completely separate from it. So you don't need to have that full stack implementation of an IdP. If you just have some users that need to sign into a particular app, another great application like a CIAM, so a customer identity and access management need where they're trying to sign into a back end or something that you provide to your end users or your end customers, that may be a really simple implementation for them. But it's really, again, seamless, simple, fast, inexpensive implementation to get us through that passwordless future. So can we go the next slide, there we go.

All right. Yes. That -- it brings us to the conclusion. We're going to take a couple question that we received, just some final couple minutes left on the webinar. But as we mentioned before, [indiscernible] hearing this presentation after the fact, but be having new data sheet for Passkey:YOU, great data sheet for identity bound by metrics that Kevin was describing as well as a link to reach out to us if you want to set up some time to chat or if you have any questions at all really about anything we discussed. And you can also reach out to myself, Kevin or Jim directly, and our email addresses are provided in this presentation. Also don't forget the two data sheets are included as downloadable handouts that you can find in go to our -- Go To Webinar control panel. All right. So I think we have time for just maybe one or two questions. Let's see. Okay. Question one, do you support methods for authentication besides biometrics?

I think Jim or I, either one could fill this, but yes, absolutely. As you saw in the presentation, specifically to Passkey:YOU, we support fingerprint, facial and we also support the palm scan. And then with our full-blown IdP, we support like 17 different methods that include things like door access badges, there's the SMS as a fallback, which is kind of becoming an antiquated technology these days, but we do support it. I mean there's a slew of them. Jim, do you have any thoughts on that?

Yes. We support a wide array of options with our IAM solutions. So putting aside passkeys for a second, like you said, Kevin, I think 17 distinct methods. And I mean that encompasses really like the whole historical time line of multifactor. So if you have a use case that requires printed codes or grid cards as they call them, we can support that all the way up to older, but still very much in use methods like SMS, OTPs. One quick note about authenticator app. So BIO-key prides itself on being an open system. So we realize that you may already have customers using other third-party mobile apps, right? It's not unusual for customers to have a few pockets of MS Authenticator users out there and the ease the transition to our platform or to just coexist with our platform because you might be using fingerprints for other use cases. You can go ahead and use those apps with BIO-key. So whether it be Google Authenticator, Authy, or the Microsoft Authenticator, those can be used with BIO-key. But specific to passkeys, that is a standard, and we would support all of the FIDO credentials that are supported when you were talking about passkeys. Many of those are biometric in nature, but not all. Security keys, right? FIDO2 keys would be an example of a nonbiometric that you can use with passkeys and we do support those as well.

Great. Let's just do one more before we wrap up. Let's see here. What do I do if my services don't support passkeys natively today?

Use PortalGuard.

Go ahead Jim. Use PortalGuard, Exactly. I was going to say.

I'll say a quick two cents and then Kevin, you can chime in. So we support passkeys today. So you could leverage PortalGuard which, again, is our IAM solution and use that, we support passkeys and then you would be able to get into any of the apps that you want because we are an SSO provider. There are ways out there to make your existing sites and apps, Web Authen-friendly, if you will, and support things like passkeys. I'm not a developer. I'm told that it's not a Herculean lift. There are tags you can add, for example, to make the login field support Web Authen. So I would say a little bit of research into that, but if that's the route you decide to go, that can be done as well.

And if I may, there's going to be a few probably like -- a lot of people call it like legacy apps. I'd like to refer to them as the [indiscernible] apps, so that kind of thing, applications that are installed locally, or maybe installed -- another really good example we saw recently was an application called Parallels, which is a bit like your Citrix hosted apps, right? Parallels system or a technology. And within that a hosted application, there was a log-in and dialogue box that was developed by somebody else that my customer didn't have any access to or ability to enhance or change or anything and our SSO Concierge technology is installed locally on machines to authenticate to that. And what it is, it's a little engine that watches for the correct process ID, the launch and the window title and the right timing and when it sees those things, it can either just -- I'll go ahead and automatically sign into that for the user or it can prompt them for an additional authentication event there and say, "Hey, can you give me your fingerprint or can you give me your palm scan or token or your door access card or what have you. " And it will go ahead and complete the authentication then for the user. But again, kind of one of the beautiful things about our stack and our working here is we can do passkeys for things to support FIDO without any lift whatsoever. We can do a full-blown IdP with PortalGuard and our technology and layer in Passkeys with it or we can go ahead and go that extra mile and for things that don't support any of that stuff, we have a solution for that as well. And so it's really exciting to be able to provide kind of a complete package like that to customers that need a lot of flexibility and might come at us with kind of odd scenarios. Those are my favorite ones to work with and work on is try to figure out how do we approach a problem that kind of no other vendor has been able to solve for a customer and say, "Yes, I could do that, just give me a little bit of time here, and we'll work it out. " So with that, I think I think we're ready.

Yes. Yes. So that, we reached time for today's webinar. Thank you for everyone who joined. Please keep an eye for an e-mail from us, as a follow-up with a copy of this webinar as well as a link to schedule a call if you have any questions. That's it. Have a great day, everyone. Thank you.

Thank you.