Street cred: increasing trust in passwordless authentication.
Dave Bittner: Hello everyone and welcome to CyberWire-X, a series of specials, where we highlight important security topics affecting organizations worldwide. I'm Dave Bittner. Today's episode is titled Street Cred - increasing trust in passwordless authentication.
Dave Bittner: Good security gets out of the way of users, while getting in the way of adversaries. Passwords fail on both accounts. Users feel the pain of adhering to complex password policies. Adversaries simply copy, break or brute force their way in. Why then have we spent decades with passwords as the primary factor for authentication? From the very first theft of clear text passwords to the very latest bypass of a second factor, time and again, improvements in defenses are met with improved attacks. The industry needs to trust passwordless authentication. What holds us back from getting rid of passwords? Trust.
Dave Bittner: In this episode we'll discuss a framework of technical controls to ensure only trusted sessions authenticate, regardless of faults or failures in any one factor and we'll share a path forward for increasing trust in passwordless authentication.
Dave Bittner: A program note, each CyberWire-X special features two segments. In the first part of the show we'll hear from industry experts on the topic at hand and in the second part we'll hear from our show sponsor for their point of view and, speaking of sponsors, here's a word from our sponsor, Duo Security.
Dave Bittner: To start things off, my CyberWire colleague, Rick Howard speaks with Gary McAlum, a retired CSO, and Nikk Gilbert, CISO for the Cherokee Nations businesses. We'll conclude our program with my conversation with our show sponsor, Duo's Advisory CISO, J. Wolfgang Goerlich for his insights on passwordless authentication.
Dave Bittner: Here's Rick Howard.
Rick Howard: Fernando Corbató, one of our great computer science founding fathers invented the idea of passwords in the early 1960s, to stop MIT students and teachers, who shared the same mainframe and file system, from needlessly nosing around in everybody's files and, by the way, tell them a third time on this, back then, precious computer resource. They imposed a four hour limit on everybody. But by the late 1970s it became clear that this clever hack, back in the day, wasn't a great way to secure systems in general and by the time the internet started to gain traction in the 1990s, anybody from anywhere could try to subvert the system.
Rick Howard: As security practitioners we started dreaming of passwordless authentication systems. Nikk Gilbert is the CISO for Cherokee Nation Businesses and has been involved in deploying these kinds of systems for just under 20 years. I invited him to the CyberWire's Hash Table to ask him to explain what a passwordless authentication system is.
Nikk Gilbert: It'll probably mean different things to different people. What it means to me is an environment where I no longer have to have a password that I constantly have to change and rememorize. We need the industry or the world using multi factor authentication. It's something you know, it's something you have, it's something you are. By at least having two of those things you create an environment where your people are gonna be a little bit more secure, but it's certainly going to prevent a lot of the common mistakes and the common bad guy tricks to get people to do things.
Rick Howard: Gary McAlum has just recently stepped down as the CSO for USAA and this is how he describes those systems.
Gary McAlum: We wanna eliminate user credentials, right, out of the environment. Maybe you have a user I.d. but now you're tied to an authentication mechanism which does not depend on something you type in and change every 90 days.
Rick Howard: In the early internet days Nikk worked for the military as a CIO and CISO in multiple organizations. They were rolling out passwordless authentication systems as early as 2002, in the government, long before the commercial sector started to consider it and, as you know, that's an anomaly. Usually the government is ten years behind the commercial sector in all things tech. But Nikk's frustrated at the lack of progress the community has made since then when, after 20 years, the best we have available to us is the Microsoft Hello program and Apple's touch ID. Here's Nikk.
Nikk Gilbert: When I was a CIO of NATO Base Iceland, back in 2002, we were one of the first bases to deploy what became known as the CAC card, the Common Access Card, where you no longer had to have a password. You had basically multi-factor with your military I.D. card. You'd have your I.D. card and you'd have a pin number and that's how you got access to everything. That's the military in 2002 and it's 2021 and, you know, I went on from NATO Base Iceland to working for this big multinational in Paris. We'd employed, and this is commercial mind you, 43,000 smart cards out of the 100,000 employees. We had 43,000 knowledge workers and we were able to get door access. People were able to buy coffee with their cards, yeah, go to the cafeteria with their cards and that was 2005 and, again, we're in 2021 and what do we have? We have, you know, Windows Hello.
Rick Howard: Nick says that even when we have the tech deployed, leadership is still reluctant to change.
Nikk Gilbert: Let's talk Windows Hello for a second. In a knowledge worker environment, where a person goes to the same PC everyday and the organization has mature life cycle replacement and they've been in a position where they've gotten new laptops that have the right kinda camera for Windows Hello, that puts you in a position, technically, to do it. But you still had this uphill challenge with your users. Everybody wants a passwordless, they don't want to have to continually change their passwords every 90 day. It just seems to me that being able to implement something like that would be a really, a real no brainer, but nobody, at any level, wants to take on the challenge. The mid level IT people are like, "well our laptops don't do that" or "our users can't do that" or "we havent impassioned our TPM software on our laptops" or "the OCM, the organizational change management will be too much for most users to grasp." I mean we're talking something simple here like facial recognition or a PIN number versus continually changing your passwords.
Nikk Gilbert: The biggest challenge that I'm seeing, from the top down, is the lack of willingness to try something new. People are just so change adverse.
Rick Howard: As with many things in tech we need to design these services, especially something we are going to use multiple times a day, like a passwordless authentication system, with the grandmas and the grandpas of the world in mind, not for the silicon valley engineer. Here's Nikk again.
Nikk Gilbert: It's go tot be so easy and so customer friendly. What's that quote, what thing I used to say, it's a no brainer. We've gone through this over the years. Nobody wanted a dongle, nobody wanted a smart card. I'm, I'm not trying to sell anybody anything here but my ultimate vision would be that you have your smartphone, and this is for knowledge workers, which I know isn't everybody, but for your knowledge workers, you could very easily use a smartphone for authentication. We're all addicted to our technology, we all carry smartphones, many of us have Apple watches and I realize it's, it's not the entire world, it's a, a certain subset of maybe an organization and the knowledge workers or the directors above or what have you, but th-- they're usually the ones who require the most hand holding.
Nikk Gilbert: If I could enable a smartphone to be your key into my environment, that, to me, would be the ultimate customer service play. You don't have to carry anything extra, you don't have to do anything. You walk up to your PC with your mobile phone in your hand. It recognizes who you are, it logs you in. You imagine how easy that would make life? No more passwords. Your phone is your key. To me, that would be the ideal customer service play because most people already have phones and it just makes good sense and it's secure.
Nikk Gilbert: There's an opportunity there to raise the bar on that customer service level.
Rick Howard: I asked Gary, the former USAA CSO about how to sell this idea to the board, this multi month, perhaps multi year project that was gonna eat up resources in terms of time and money from the internal IT and security organizations when they could be doing other things.
Gary McAlum: I think it's not a hard conversation with anyone to say, you know, we know that passwords, credentials, user credentials are targeted by the bad guys. If you look at the Verizon data breach report, any of those reports out there, one of the number one things that gets targeted by an adversary are user credentials of employees. They compromise 'em, they move laterally, they try to escalate privileges where they can, they gain access to resources. It's a wash, rinse, repeat cycle that's used. When you start thinking about vulnerabilities within an environment, if you can eliminate one of those key vulnerabilities, which is user credentials, passwords, you're gonna have a harder environment for the bad guys to be successful in.
Gary McAlum: So, for us, we started looking at that, I don't know, three years ago or so, and started putting together architecture and a road map on how to get there. At a high level it's an easy selling point. It's real easy. If you do this right, the user experience is much better. You don't have to worry about remembering a password, you don't have to change it every 90 days. You can come up with all these long complex requirements, multi characters, uppercase, lowercase, numbers; somebody's got to remember that and what do they typically do? They write it down, right, or they forget about it. From a pure user experience perspective, easy selling point, right. Once you're provisioned inside that ecosystem, once you're assigned whatever the recognition variable is, that is now tied to a authentication mechanism which doesn't require the establishment of a password. Maybe there's a combination of FIDO key, multiple options, and that was our approach. It's like a menu. Some people like push notifications. I love that. Some people like a FIDO key. Some people like an SMS text, which we're trying to get away from SMS just because it's been deprecated, but it's still better than a password that you have to remember.
Gary McAlum: Once you get a suite of options available for a user, that experience is much better, but the selling point is, hey, this is better for the user but what's the real lift here is security. We're hardening our environment significantly and we're eliminating a threat vector.
Rick Howard: I agree with Gary that convincing the board to pursue a passwordless authentication project is relatively easy compared to the actual day to day tactics of running the project and showing progress to an impatient leadership team.
Gary McAlum: The hard part of all this is the how. How are you gonna get there over time? For those that may not understand the, the mysterious world of identity and access management, it's really complex to eliminate a password authentication mechanism in a mid to large size IT environment, one where it's not even all homogeneous. You have other applications that are maybe external to your environment, that are integrated into your environment. You have different hardware, different employee segments out there needing different level of resources. You have this BIX match of lots of different requirements. All of it is dependent upon an authentication mechanism, which is based on, typically, a user ID and a password.
Gary McAlum: How do you scale a passwordless mechanism across that? And that is hard. It's an easily thing to sell and it's a hard thing to implement because most people run out of patience right before they get there.
Rick Howard: One thing to consider; don't settle. If you're going after a passwordless authentication system, don't stop until you get there.
Gary McAlum: You can get to passwordless authentication in what I call the poor man's approach. You create a password, you stick it in the vault and now you use multi-factor in front of this. But behind the scenes there's still a password out there that's in play. Yeah, it is protected in password vault of some sort and that can be a great interim strategy, which is what we try to do as well but, ultimately, you wanna get away from the, the password in any form. If you can't get single sign on across that environment and somebody says "oh well, we'll need a password here, here are the five exceptions." That's just not gonna work 'cause you're gonna be back to where you were at the beginning.
Rick Howard: One thing is certain. You don't just flip a switch and get this thing going. Expect trouble and be flexible.
Gary McAlum: The complexity of this whole journey, as we discovered, we've had some stops and starts in our own journey. We started with a vendor that we had a pretty good set of requirements and our environment's probably not unlike many other mid to large size companies. You have a bunch of home grown applications, you have a bunch of external applications, typically softwares and service type of environments, you have some things in between. For that to work in that environment, hundreds, if not thousands of applications, people don't wanna have to log into each of those applications every time they use 'em. You have this little thing called single sign on, which you have to account for in this environment and therein lies the real complexity. You have to have the underlying technology, why allows you to scale across this heterogeneous environment and to be able to implement this federated ecosystem of single sign on. If not, then you're back to the exact same boat. It's either all or nothing for this to really, really work.
Gary McAlum: In our particular journey we had some issues with the vendor that we originally selected. We discovered after piloting early on, they're not gonna be able to scale and they're not gonna be able to give us the experience that we need. So we said, okay, we'll take a strategic pause, we'll re-look at the environment out there and the market, see if there's a better vendor. We found a better vendor and we actually started implementing this about a year ago. It's a beautiful thing. It's everything I hoped it would be. It was a suite of options for users to select from. There's ease of recover mechanisms built in. If somehow you, you have an issue there's a federation model that works really well.
Gary McAlum: So, it took us a while to get there and, and now we've started rolling it out before I left. But that single sign on is probably one of the biggest sticking points in really making this work over time. This is a journey not for the faint of heart, I, I will tell you that, because you have to take the long view, this is not gonna be quick. But the way we did it, we bundled this up as part of a multi prong, zero trust strategy. The underlying part of it is identity access management, focused on eliminating the password. From a strategic and marketing and communication perspective it, it makes perfectly good sense. The problem is people can get excited about it and they want it really quick. But this is not gonna be quick. You really have to have a methodical approach. You have to really segment out your, your employee population and some of that's third party, some of that contact, call center type of stuff. Each of those segments of, of users may have a different set of challenges. So you got to be methodical in moving ahead.
Gary McAlum: I like the pilot approach; start small but think big and what we did was we start off with a employee population, I was part of that, eat our own dog food first. Learn just how do you start, how do you provision this?
Rick Howard: Gary's recommendation is to take it in pieces. In other words, don't try to eat the entire elephant in one bite.
Gary McAlum: If somebody's coming in from scratch, what would that experience look like? Then the next thing I wanted to do was, okay, this is working pretty good, what's our highest risk population today? It's people with elevated privileges. So let's drag those guys into the pilot as quickly as possible, get them on it 'cause we're gonna get some lift from a security perspective, we're gonna get them involved. Now remember, there's still a password out there. You're in a pilot, so you've got your foot in two canoes. One is we're moving to this environment, we're in a pilot, oh, well over here, yeah, every 90 days I still got to change that darn password and remember it. This is not something that you can move into, right, and cut off passwords. It's either all or nothing and that's why you've got to have a long term strategy to do this and it could be, you know, it's not gonna be months, more like, you know, low number of years to get there but if you never start it you'll never get there.
Rick Howard: The question then is this; is the transition away from passwords inevitable, even though there has been slow progress and the journey is fraught with potholes and land mines? I'll let Nikk have the last word.
Nikk Gilbert: I, I have this thing that I've tweeted and I, I've shared at LinkedIn a number of times and I love to repeat it. I always refer passwords to like floppy discs in their usefulness just before the floppies became extinct. That's about the level of use we get out of passwords and it's just really not a useful thing.
Dave Bittner: Next up is my conversation with J. Wolfgang Goerlich, advisory CISO for our show sponsor, Duo Security.
J. Wolfgang Goerlich: There is a certain nostalgia, especially for those of us of a certain age, with our first password, the first time you're on a BBS, maybe the first time you're on email, it feels pretty cool, right. I'm, I'm gonna create a secret between me and the machine.
Dave Bittner: Right. This machine has more than one user.
J. Wolfgang Goerlich: It must be amazing. You know, the, the original passwords though came out in, in the sixties, so it was a IBM 7094, if memory serves, at MIT, in 1961, the very first passwords were implemented and, of course, it was an accounting mechanism to keep, keep the right people in the right spot and make sure people didn't use too much computing and, you might imagine, students loved it, oh they absolutely did. No, no. the very first password breach was within 12 months, one of the students...
Dave Bittner: Really?
J. Wolfgang Goerlich: Yeah, he dumped out all the passwords, he printed 'em out and handed 'em round.
Dave Bittner: And so, you know, time passes and I mean is this one of those things where it seemed like a good idea at the time but now we find we're kinda dragging this password anchor behind us wherever we go?
J. Wolfgang Goerlich: I think so, I think that's a good way of putting it, you know. For, for 60 years we've had a password as the first and, sadly, sometimes the last line of of defense. And what's happened, over that time, is we've, we're really had two choices in, in a long running game, and the choice was demand more of the people, longer passwords, more complex passwords, rotated passwords, unique passwords, which might have been fun when you had one BBS, but today's workforce, when you have hundreds of apps, not so much fun. Or we had the, the second option, which was demand more of the machine, right. So, after, after the first password breach they yelled at the guy, after the second password breach, which was a few years later, the, the message file got mixed up with the password file, so everyone logged into everyone's passwords. That was the first chance and first opportunity where we demanded more of the machines. We, we'll encrypt it. Okay, now people are still in the encrypted file. Okay, we'll protect the file. Okay, now they're, now they're bypassing it and stealing out memory, alright. We're gonna hash it, we're gonna assault it, we're gonna, we're gonna do all these things and we've had this cat and mouse for, for six decades and every time we get a little bit ahead, something comes out and compromise the security and then, at the end of the day, we're, we're not doing, doing right by, by people for sure.
Dave Bittner: So, what are the possibilities then? I mean I, I know you all have a framework that you recommend, a series of technical controls that, that we can use to authenticate our sessions and what are the possibilities today?
J. Wolfgang Goerlich: Yeah, so today a lot of it is is still password with a multi-factor and that multi-factor could be something very easy and ubiquitous and easy to break, like SMS, it could be something more complex and more complicated, like a, a one time pass-code, it can be something that offers a great user experience, like a push, or a security key on, on your device, but each one of these things is really just adding one more level to, to that password and so as we look to the future, what I'm really excited about is the dawning realization that maybe we don't need a password at all, right, maybe we can rely on on biometrics and and a security key or, or, you know, a a push notification on a phone.
Dave Bittner: Yeah, I mean I have to say that probably the most gratifying regular security interaction that I have in my life is, is with my iPhone, using face ID, you know, where I don't really think about it. It is very reliable. I consider it to be secure, 'cause I have both the phone in my hand, which, you know, I have the device and it's looking at my face and, and it lets me in. This works for me and I, I kind of wish that I could have that, that lack of friction in all of my interactions. Is, is that on the horizon that sort of thing?
J. Wolfgang Goerlich: It, it certainly is and the, the face ID is also an interesting on, right, because before I get to where we're going with the future of this, think about that for just a moment. We've got a, a good ability to to see the person and now people are gonna try and bypass it, right, this cat and mouse game that we've played forever. So, instead of requiring people to have multiple faces and rotate faces and, and, right, what do we do? We, we ask more of the machine. We ask our manufacturers to provide us with better cameras, better sensors. We ask our, our software developers to do anti fraud. You know, you can't necessarily ship out a better keyboard every time someone steals your password, but we can, with these hardware platforms, keep iterating and getting 'em more and more accurate and reducing the false acceptance, right. And so I think, that, that person or the machine angle, that I mentioned earlier, has really shifted when we think about things like our face ID on our phone or, or Windows Hello on, on our Windows computers.
Dave Bittner: So, in a world of authentication without passwords, what does that look like for the user? If I'm someone who comes and sits down at my machine, I'm ready to start my day, how does that interaction, what does it look like?
J. Wolfgang Goerlich: Yeah, there's a, there's a couple of different things. We need to identify you and we need to authenticate you. So, when we think about things like face ID, those are oftentimes the same staff, right. Oh look it's, it's you, it's me, okay, you're in. In other areas, like web applications, that we all know and love, we're still gonna have to put in our email address, we're still gonna have to do something to tell that application that, hey, look, this, this is Wolfgang. So, I put in my, my email address and then it goes ahead and it will prompt you, hey, is it okay if we authenticate you and it can use the camera, it can use face ID, it can use touch ID and it can use biometrics. So we'll give it some feedback as to, okay, here's my email address, here's how I want to authenticate and, and then we'll complete that authentication gesture and then we're in. Then we're in just like before and we go ahead and and use our applications.
Dave Bittner: It seems to me like part of getting this right is the reality that... it's a little bit out of balance. In other words, I can have 100 interactions where I, I, I'm able to login and access the things I need to do and they can be frictionless and they can all work perfectly well, but boy, that one time when it doesn't work and I find myself banging my head against the desk. That's what I'm gonna take with me and remember.
J. Wolfgang Goerlich: Yes, yes. It's that human nature, right. No, I think, I think you're spot on there and the other thing to keep in mind is that we do have six decades of tech debt to address. So, while what I'm talking about this great experience, you know, it's, it's a great experience getting into your phone, like you mentioned, but I bet you not all your apps are that way. I bet you, if you think about everything you use in the workforce, there's probably a number of applications that are still legacy and and still holding onto old tech. so, there will be two things that need to happen. The forward edge will need to get very reliable and very consistent. We need muscle memory. It needs to look, feel, taste and and be the same again and again and again. That, that level of, of quality and assurance is only gonna come as these systems roll out and that we, we use them and and do the, the quality engineering in the back-end, and the second aspect of that is there's gonna be this long tail. We're still gonna be frustrated with passwords into the near future, as we have these legacy systems that, that need to get updated and moved over.
Dave Bittner: What are your recommendations then for the folks who are responsible for the IT and the security in their organizations? If they're on-board with this and they see that passwords authentication is the future, how do they start down that pathway? Where do they begin?
J. Wolfgang Goerlich: I think it's a, a great time to do some pilots, it's a great time to familiarize yourself with the standards. A lot of that standards work has been done with the FIDO alliance, which Duo Security is a part of and a big advocate for. So, looking at the FIDO2 standards around passwordless, such as WebAuthn and CTAP and, and familiarizing yourself with how the technology works. The other component to that is because there is gonna be such a long tail, because there is gonna be such an ongoing process of working with vendors and applications, to get 'em on-board, is looking at one of the first use cases, which would be single sign on. So, even if you're, even if you just have to look, type in your email address and look at the camera, the first time, not a problem, the hundredth time you're doing that in a day maybe starts to get a little frustrating. So, not only do we want less passwords but we also want less authentications. So single sign on is a really great tool to look at as your first use case because now we can passwordlessly authenticate to that and use that platform to talk to our downstream apps.
J. Wolfgang Goerlich: We've been talking about passwordless and that really is the tip of the spear. But if you were to go back 100 years and look at high tech, right, it was, it was the horseless carriage and the horseless carriage, thinking about it in terms of a carriage without a horse really didn't think about the, the vast improvements and safety security speed and the changes in our lives that occurred with that technology, and of course we're making that same mistake today with the driverless car. It's, it's always the thing less something. With passwordless authentication, as we've described it today, that's exactly where we need to be focusing in on, better user experiences. But I think, if you're gonna be very forward looking, as a security leader and a practitioner, you need to think about increasing trust across all those authentications and what it will mean when we get rid of the password. What are some of the things, the highways, you know, the better cars, the better vehicles, those types of analogies. What are the things that are gonna emerge as we make this shift?
Dave Bittner: That's J. Wolfgang Goerlich, advisory CISO for our show sponsor, Duo Security, now part of Cisco. On behalf of my colleague, Rick Howard, our thanks to Gary McAlum and Nikk Gilbert for sharing their expertise and to Duo's J. Wolfgang Goerlich for joining us. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cyber security start ups and technologies. Our senior producer is Jennifer Eiben, our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.