CyberWire Daily - Street cred: increasing trust in passwordless authentication. [CyberWire-X]
Episode Date: May 9, 2021Good security gets out of the way of users while getting in the way of adversaries. Passwords fail on both accounts. Users feel the pain of adhering to complex password policies. Adversaries simply co...py, break, or brute-force their way in. Why, then, have we spent decades with passwords as the primary factor for authentication?From the very first theft of cleartext passwords to the very latest bypass of a second-factor, time and again improvements in defenses are met with improved attacks. The industry needs to trust passwordless authentication.What holds us back from getting rid of passwords? Trust. In this episode of CyberWire-X, guests will discuss a framework of technical controls to ensure only trusted sessions authenticate, regardless of faults or failures in any one factor. We will share a path forward for increasing trust in passwordless authentication. Nikk Gilbert of CISO of Cherokee Nation Businesses and retired CSO Gary McAlum share their insights with Rick Howard, and Advisory CISO of Duo Security at Cisco Wolfgang Goerlich from sponsor Duo Security offers his thoughts with Dave Bittner. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, a series of specials where we highlight important security topics
affecting organizations worldwide.
I'm Dave Bittner.
Today's episode is titled,
Street Cred, Increasing Trust in Passwordless Authentication.
Good security gets out of the way of users
while getting in the way of adversaries.
Passwords fail on both accounts.
Users feel the pain of adhering to complex
password policies. Adversaries simply copy, break, or brute force their way in. Why then have we
spent decades with passwords as the primary factor for authentication? From the very first theft of
clear text passwords to the very latest bypass of a second factor, time and again improvements
in defenses are met with improved attacks. The industry needs to trust passwordless authentication.
What holds us back from getting rid of passwords? Trust. In this episode, we'll discuss a framework
of technical controls to ensure only trusted sessions authenticate, regardless of faults or failures in any one factor.
And we'll share a path forward
for increasing trust in passwordless authentication.
A program note,
each CyberWire X special features two segments.
In the first part of the show,
we'll hear from industry experts on the topic at hand.
And in the second part,
we'll hear from our show sponsor for their point of view.
And speaking of sponsors,
here's a word from our sponsor,
Duo Security.
While remote work has been on the rise for years now,
the recent rapid expansion of work-from-home culture
presents new security challenges.
Duo's cloud-based access security
shields any and every application
from compromised credentials and devices,
and its comprehensive coverage
helps you meet compliance requirements with ease.
Duo natively integrates with applications
to provide flexible, user-friendly security
that's quick to roll out and easy to manage.
It's a win-win-win for users, administrators, and IT teams alike.
With Duo, you can confirm user identities in a snap, monitor the health of managed and
unmanaged devices, set custom security policies for your business, and more.
Duo's mission is to secure your mission, so you can stay focused on what you do best.
Give your organization the peace of mind that only a comprehensive security solution can bring.
Get started on your journey to a more secure future with a free 30-day trial at duo.com.
For more information, visit us at www.duo.com. program with my conversation with our show sponsor, Duo's advisory CISO, J. Wolfgang Gerlich,
for his insights on passwordless authentication. Here's Rick Howard.
Fernando Corbettot, one of our great computer science founding fathers, invented the idea of passwords in the early 1960s to stop MIT students and teachers who shared the
same mainframe and file system from needlessly nosing around in everybody's files. And by the
way, to limit their time on this back then precious computer resource, they imposed a four-hour limit
on everybody. But by the late 1970s, it became clear that this clever hack back in the day
wasn't a great way to secure systems in general.
And by the time the Internet started to gain traction in the 1990s, anybody from anywhere could try to subvert the system.
As security practitioners, we started dreaming of passwordless authentication systems.
Nick Gilbert is the CISO for Cherokee Nation Businesses and has been involved in deploying these kinds of systems for just under 20 years.
I invited him to the CyberWire's hash table to ask him to explain what a passwordless authentication system is.
It'll probably mean different things to different people.
What it means to me is an environment where I no longer have to have a password that I constantly have to change and re-memorize.
We need the industry or the world using multi-factor authentication.
It's something you know, something you have, and something you are.
By at least having two of those things, you create an environment where your people are
going to be a little bit more secure, but it's certainly going to prevent a lot of the
common mistakes and the common bad guy tricks to get people to do things.
Gary McCallum has just recently stepped down as the CSO for USAA, and this is how he describes
those systems.
We want to eliminate user credentials right out of the environment.
Maybe you have a user ID, but now you're tied to an authentication mechanism, which does
not depend on something you
type in and change every 90 days. In the early internet days, Nick worked for the military as a
CIO and CISO in multiple organizations. They were rolling out passwordless authentication systems
as early as 2002 in the government, long before the commercial sector started to consider it.
And as you know, that's an anomaly.
Usually, the government is 10 years behind the commercial sector in all things tech.
But Nick's frustrated at the lack of progress the community has made since then.
When, after 20 years, the best we have available to us is the Microsoft Hello program and Apple's Touch ID.
Here's Nick.
When I was the CIO of NATO Base Iceland back in 2002,
we were one of the first bases to deploy what became known as the CAT card,
the Common Access Card, where you no longer had to have a password.
You had basically multi-factor with your military ID card.
You'd have your ID card, and you'd have a PIN number,
and that's how you got access to everything.
That's the military in 2002.
It's 2021.
And, you know, I went on from NATO Base Iceland
to working for this big multinational in Paris.
We deployed, and this is commercial, mind you,
43,000 smart cards out of 100,000 employees.
We had 43,000 knowledge workers,
and we were able to get
door access. People were able to buy coffee with their cards, go to the cafeteria with their cards.
And that was 2005. And again, we're in 2021. And what do we have? We have Windows Hello.
Nick says that even when we have the tech deployed, leadership is still reluctant to change.
Let's talk Windows Hello for a second.
In a knowledge worker environment where a person goes to the same PC every day and the organization has mature lifecycle replacement,
and they've been in a position where they've got new laptops that have the right kind of camera for Windows Hello. That puts you in a position technically to do it,
but you still have this uphill challenge with your users.
Everybody wants a passwordless.
They don't want to have to continually change their passwords every 90 days.
It just seems to me that being able to implement something like that
would be a real no-brainer,
but nobody at any level wants to take on the challenge.
The mid-level IT people are like,
well, our laptops don't do that,
or our users can't do that,
or we haven't been patching our TPM software on our laptops,
or the OCM, the organizational change management,
will be too much for most users to grasp.
I mean, we're talking something simple here
like facial recognition or a PIN number versus continually changing your passwords.
The biggest challenge that I'm seeing from the top down is the lack of willingness to try something
new. People are just so change adverse. As with many things in tech, we need to design these
services, especially something we
are going to use multiple times a day, like a passwordless authentication system, with the
grandmas and the grandpas of the world in mind, not for the Silicon Valley engineer. Here's Nick
again. It's got to be so easy and so customer-friendly. What's that quote, what they used
to say? It's a no-brainer we've gone through this over
the years nobody wanted a dongle nobody wanted a smart card i'm not trying to sell anybody anything
here but my ultimate vision would be that you have your smartphone and this is for knowledge workers
which i know isn't everybody but for your knowledge workers you could very easily use a smartphone for
authentication we're all addicted to our
technology we all carry smartphones many of us have apple watches and i realize it's it's not
the entire world it's a a certain subset of maybe an organization the knowledge workers or the
directors above or what have you but they're usually the ones who require the most handholding
if i could enable a smartphone to be your key into my environment, that to me would
be the ultimate customer service play. You don't have to carry anything extra. You don't have to
do anything. You walk up to your PC with your mobile phone in your hand. It recognizes who you
are. It logs you in. Can you imagine how easy that would make life? No more passwords. Your phone is
your key. To me, that would be the ideal customer service play
because most people already have phones
and it just makes good sense and it's secure.
There's an opportunity there to raise the bar
on that customer service level.
I asked Gary, the former USAA CSO,
about how to sell this idea to the board,
this multi-month, perhaps multi-year project
that was going to eat
up resources in terms of time and money from the internal IT and security organizations when they
could be doing other things. I think it's not a hard conversation with anyone to say, you know,
we know that passwords, credentials, user credentials are targeted by the bad guys.
If you look at the Verizon data breach report, any of those reports out there, one of the number one things that gets targeted by an adversary are user credentials of
employees. They compromise them. They move laterally. They try to escalate privileges where
they can. They gain access to resources. It's a wash, rinse, repeat cycle that's used. When you
start thinking about vulnerabilities within an environment, if you can eliminate one of those key vulnerabilities, which is user credentials,
passwords, you're going to have a harder environment for the bad guys to be successful.
And so for us, we started looking at that, I don't know, three years ago or so, and started
putting together an architecture and a roadmap on how to get there. At a high level, it's an
easy selling point. It's really easy.
If you do this right, the user experience is much better.
You don't have to worry about remembering a password.
You don't have to change it every 90 days.
You can come up with all these long, complex requirements,
multiple characters, uppercase, lowercase numbers.
Somebody's got to remember that.
And what do they typically do?
They write it down, right? Or they forget about it. From a pure user experience perspective,
easy selling point, right? Once you're provisioned inside that ecosystem, once you're assigned
whatever the recognition variable is, that is now tied to a authentication mechanism,
which doesn't require the establishment of a password. Maybe there's a combination of FIDO key, multiple options. And that was our approach. It's like a menu. Some people like
push notifications. I love that. Some people like a FIDO key. Some people like an SMS text,
which we're trying to get away from SMS just because it's been deprecated, but it's still
better than a password that you have to remember. Once you get a suite of options available for a user,
that experience is much better. But the selling point is, hey, this is better for the user,
but what's the real lift here is security. We're hardening our environment significantly,
and we're eliminating a threat vector. I agree with Gary that convincing the board to pursue a passwordless authentication project is relatively easy compared to the actual day-to-day
tactics of running the project and showing progress to an impatient leadership team.
The hard part of all of this is the how. How are you going to get there over time?
For those that may not understand the mysterious world of identity and access management,
it's really complex to eliminate a password authentication mechanism
in a mid to large size IT environment. One where it's not even all homogeneous. You have other
applications that are maybe external to your environment that are integrated into your
environment. You have different hardware, different employee segments out there needing different
level of resources. You have this mix match of lots of different requirements. All of it is dependent upon
an authentication mechanism, which is based on typically a user ID and a password.
How do you scale a passwordless mechanism across that? And that is hard. It's an easy thing to sell
and it's a hard thing to implement because most people run out of patience right before they get there.
One thing to consider, don't settle.
If you're going after a passwordless authentication system, don't stop until you get there.
You can get to passwordless authentication in what I call the poor man's approach.
You create a password, you stick it in the vault, and now you use multi-factor in front of this.
But behind the scenes, there's still a password out there that's in play.
Yeah, it is protected in a password vault of some sort.
And that can be a great interim strategy, which is what we try to do as well.
But ultimately, you want to get away from the password in any form.
If you can't get single sign-on across that environment, and somebody says, oh, well,
we'll need a password here. Here are the five exceptions. That's just not going to work because you're going to be back
to where you were at the beginning. One thing is certain. You don't just flip a switch and get this
thing going. Expect trouble and be flexible. The complexity of this whole journey, as we discovered,
we've had some stops and starts in our own journey. We started with a vendor that we had a pretty good set of requirements.
And our environment is probably not unlike many other mid- to large-size companies.
You have a bunch of homegrown applications.
You have a bunch of external applications.
Typically, software-as-a-service type of environments.
You have some things in between.
For that to work in that environment, hundreds if not thousands of applications,
people don't want to have to log into each of those applications every time they use them. You have this little
thing called single sign-on, which you have to account for in this environment. And therein lies
the real complexity. You have to have the underlying technology, which allows you to scale across this
heterogeneous environment and to be able to implement this federated ecosystem of single
sign-on. If not, then you're back to the exact same boat.
It's either all or nothing for this to really, really work.
In our particular journey, we had some issues with the vendor that we originally selected.
We discovered after piloting early on, they're not going to be able to scale.
They're not going to be able to give us the experience that we need.
We said, okay, we'll take a strategic pause.
We'll re-look at the environment out there in the market, see if there's a better vendor. We said, okay, we'll take a strategic pause. We'll re-look at the
environment out there in the market, see if there's a better vendor. We found a better vendor,
and we actually started implementing this about a year ago. It's a beautiful thing. It's everything
I hoped it would be. It was a suite of options for a user to select from. There's ease of recovery
mechanisms built in if somehow you have an issue.
There's a federation model that works really well.
So it took us a while to get there, and now we've started rolling it out before I left.
But that single sign-on is probably one of the biggest sticking points in really making this work over time.
This is a journey not for the faint of heart.
I will tell you that because you have to take the long view.
This is not going to be quick, but the way we did it,
we bundled this up as part of a multi-pronged zero trust strategy.
The underlying part of his identity access management
focused on eliminating the password.
From a strategic and marketing and communication perspective,
it makes perfectly good sense.
The problem is people can get excited about it and they want it really quick.
But this is not going to be quick.
You really have to have a methodical approach.
You have to really segment out your employee populations.
And some of that's third party, some of that contact, call center type of stuff.
Each of those segments of users may have a different set of challenges.
So you've got to be methodical and moving ahead.
I like the pilot approach.
Start small, but think big.
And what we did was we start off with the employee population.
That was part of that.
Eat our own dog food first.
Learn just how do you start?
How do you provision this?
Gary's recommendation is to take it in pieces.
In other words, don't try to eat the entire elephant in one bite.
If somebody's coming in from scratch, what would that experience look like?
Then the next thing I wanted to do was, okay, this is working pretty good.
What's our highest risk population today?
It's people with elevated privileges.
So let's drag those guys into the pilot as quickly as possible.
Get them on it because we're going to get some lift from a security perspective.
We're going to get them involved. Now, remember, there's still a password out there. You're in a
pilot, so you've got your foot in two canoes. One is we're moving to this environment. We're in a
pilot. Oh, what over here? Yeah, every 90 days, I still got to change that darn password and remember
it. This is not something that you can move into, right, and cut off passwords. It's either all or nothing. And
that's why you've got to have a long-term strategy to do this. And it could be, you know, it's not
going to be months, more like, you know, low number of years to get there. But if you never start it,
you'll never get there. The question then is this, is the transition away from passwords inevitable?
Even though there has been slow progress and the journey is fraught with potholes and landmines,
I'll let Nick have the last word.
I have this thing that I've tweeted
and I've shared on LinkedIn a number of times
and I love to repeat it.
I always refer passwords to like floppy disks
and their usefulness just before the floppies became extinct.
That's about the level of use we get out of passwords.
And it's just really not a useful thing.
Next up is my conversation with Jay Wolfgang Gerlich,
advisory CISO for our show sponsor, Duo Security.
There is a certain nostalgia especially for those of us of a certain age with our first password the first time you're on a bbs uh maybe the first time you're on email it feels pretty cool right i'm
i'm gonna create a secret between me and the machine. Right. This machine has more than one user.
Wow.
It must be amazing.
You know, the original passwords, though, came out in the 60s.
So it was IBM 7094, if memory serves, at MIT.
1961, the very first passwords were implemented.
And, of course, it was an accounting mechanism
to keep
the right people in the right spot and make sure
people didn't use too much computing
and you might imagine students loved
it oh they absolutely didn't no
the very first password breach
was within 12 months
one of the students yeah he dumped
out all the passwords he printed them out and handed them around
and so you know time passes and I mean is this one of the students. Yeah, he dumped out all the passwords. He printed them out and handed them around.
And so, you know, time passes.
And I mean, is this one of those things where it seemed like a good idea at the time,
but now we find we're kind of dragging
this password anchor behind us wherever we go?
I think so.
I think that's a good way of putting it.
You know, for 60 years,
we've had a password as the first
and sadly, sometimes the last line of defense.
And what's happened over that time is we've really had two choices in a long running game.
And the choice was demand more of the people, longer passwords, more complex passwords, rotated passwords, unique passwords, which might have been fun when you had one BBS.
But today's workforce, when you have hundreds of apps, not so much fun.
Or we had the second option, which was demand more of the machine, right?
So after the first password breach, they yelled at the guy.
After the second password breach, which was a few years later,
the message file got mixed up with the password file.
So everyone logged in, so everyone's passwords.
That was the first chance and first opportunity
where we demanded more of the machines.
We'll encrypt it, okay?
Now people are stealing the encrypted file.
Okay, we'll protect the file, okay?
Now they're bypassing it and stealing out of memory.
All right, we're going to hash it.
We're going to salt it.
We're going to do all these things.
And we've had this cat and
mouse for six decades. And every time we get a little bit ahead, something comes out and
compromise the security. And at the end of the day, we're not doing right by people for sure.
So what are the possibilities then? I mean, I know you all have a framework that you recommend, a series of technical controls that we can use to authenticate our sessions.
What are the possibilities today?
Yeah, so today a lot of it is still a password with a multi-factor.
And that multi-factor could be something very easy and ubiquitous and easy to break like SMS.
It could be something more complex and more complicated like a one-time passcode.
It can be something that offers a great user experience like a push or a security key on your device.
But each one of these things is really just adding one more level to that password.
And so as we look to the future, what I'm really excited about is the dawning realization that maybe we don't need a password at all, right?
Maybe we can rely on biometrics and a security key or a push notification on a phone.
or, you know, a push notification on a phone.
Yeah, I mean, I have to say that probably the most gratifying regular security interaction that I have in my life
is with my iPhone, you know, using Face ID,
you know, where I don't really think about it.
It is very reliable.
I consider it to be secure because I have both the phone in my hand,
which, you know, I have the device, and it's looking at my face, and it lets me in.
This works for me, and I kind of wish that I could have that lack of friction in all of my interactions.
Is that on the horizon, that sort of thing?
It certainly is.
And the face idea is also an interesting one, right?
Because before I get to where we're going with the future of this, think about that from just a moment.
We've got a good ability to see the person, and now people are going to try and bypass it, right?
This cat and mouse game that we played forever.
So instead of requiring people to have multiple faces and rotate faces hand to hand, right?
What do we do?
We ask more of the machine.
We ask our manufacturers to provide us with better cameras, better sensors.
We ask our software developers to do anti-fraud.
You know, you can't necessarily ship out a better keyboard
every time someone steals your password,
but we can, with these hardware platforms,
keep iterating and getting them more and more accurate and reducing the false acceptance rate.
And so I think that person or the machine angle that I mentioned earlier has really shifted when we think about things like Face ID on our phone or Windows Hello on our Windows computers.
So in a world of authentication without passwords,
what does that look like for the user?
If I'm someone who comes and sits down at my machine,
I'm ready to start my day,
how does that interaction, what does it look like?
Yeah, there's a couple of different things.
We need to identify you and we need to authenticate you.
So when we think about things like Face ID,
those are oftentimes the same step, right?
Oh, look, it's you, it's me.
Okay, you're in.
In other areas like web applications
that we all know and love,
we're still going to have to put in our email address.
We're still going to have to do something
to tell that application that,
hey, look, this is Wolfgang.
So I put in my email address, and then it goes ahead,
and it will prompt you, hey, is it okay if we authenticate you?
And it can use the camera.
It can use Face ID.
It can use Touch ID.
It can use biometrics.
So we'll give it some feedback as to, okay, here's my email address.
Here's how I want to authenticate.
And then we'll complete that authentication gesture, and then we're in. Then we're in
just like before, and we can go ahead and use our applications. It seems to me like part of
getting this right is the reality that it's a little bit out of balance. In other words, I can have a hundred interactions
where I'm able to log in and access the things I need to do
and they can be frictionless
and they can all work perfectly well.
But boy, that one time when it doesn't work
and I find myself banging my head against the desk,
that's what I'm going to take with me and remember.
Yes, yes.
Isn't that human nature, right?
No, I think you're spot on there.
And the other thing to keep in mind is that we do have six decades of tech debt to address.
So when I'm talking about this great experience, it's a great experience getting into your phone, like you mentioned.
But I bet you not all your apps are that way. I bet you if you think about everything you use in the workforce, there's probably a number of applications that are still legacy and still holding on to old tech.
So there will be two things that need to happen.
The forward edge will need to get very reliable and very consistent.
We need muscle memory.
It needs to look, feel, taste, and be the same again and again and again.
That level of quality and assurance is only going to come as these systems roll out and that we use them and do the quality engineering on the back end.
And the second aspect of that is there's going to be this long tail.
We're still going to be frustrated with passwords into the near future as we have
these legacy systems that need to get updated and moved over. What are your recommendations then for
the folks who are responsible for the IT and the security in their organizations? If they're on
board with this and they see that passwordless authentication is the future. How do they start down that pathway? Where do they begin?
I think it's a great time to do some pilots. It's a great time to familiarize yourself with
the standards. A lot of that standards work has been done with the FIDO Alliance,
which Duo Security is a part of and a big advocate for. So looking at the FIDO 2 standards around
passwordless, such as WebAuthn and CTAP,
and familiarizing yourself with how the technology works. The other component to that is because
there is going to be such a long tail, because there is going to be such an ongoing process of
working with vendors and applications to get them on board, is looking at one of the first use cases,
which would be single sign-on.
So even if you just have to look, type in your email address and look at the camera,
the first time, not a problem.
The hundredth time you're doing that in a day, maybe it starts to get a little frustrating.
So not only do we want less passwords, but we also want less authentications.
So single sign-on is a really great
tool to look at as your first use case, because now we can passwordlessly authenticate to that
and use that platform to talk to our downstream apps. We've been talking about passwordless,
and that really is the tip of the spear. But if you were to go back 100 years and look at high
tech, right? It was the horseless carriage. And the horseless carriage, thinking about it in terms of a carriage
without a horse, really didn't think about the vast improvements in safety, security, speed,
and the changes in our lives that occurred with that technology. And of course, we're making that
same mistake today with the driverless car. It's always the thing less something. With passwordless authentication, as we described it today,
that's exactly where we need to be focusing in on better user experiences. But I think
if you're going to be very forward-looking as a security leader and a practitioner,
you need to think about increasing trust across all those
authentications and what it will mean when we get rid of the password.
What are some of the things, the highways, you know, the better cars, the better vehicles,
those types of analogies, what are the things that are going to emerge as we make this shift?
That's J. Wolfgang Gerlich, advisory CISO for our show sponsor, Duo Security, now part of Cisco. Thank you. CyberWire X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity startups and technologies.
Our senior producer is Jennifer Iben. Our executive editor is Peter Kilby. I'm Dave Bittner. Thanks for listening. Thank you.