ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
19 March 2021

From ‘You’ve been pwned’ to passwordless: Secure access made easy – An interview with Yubico’s Chief Solutions Officer

Written by Alastair Rees

We speak to Yubico's CSO about the problem with passwords, different modern authentication solutions, and how to make passwordless a success in your organisation.

With over 20 years in the enterprise mobility space, Jerrod Chong brings a wealth of experience in modern authentication and open standards passwordless technologies that are key to secure remote working solutions.

A regular on the conference circuit, Jerrod has delivered numerous presentations on modern authentication and open standards at leading IT Security conferences, including Black Hat, Identiverse, Gartner IAM, and many others.

I caught up with Jerrod to get his unique insight on the current challenges with passwords, and what he believes the future holds for passwordless authentication technologies.

"Strong authentication, like passwordless, is the best way to combat rising phishing attacks."

Al Rees: Hi Jerrod, thanks for taking the time to talk with us. With the significant rise in remote working over the last 12 months, what do you feel organisations and security teams should be most concerned about?

Jerrod Chong: Hackers capitalise off of fear, uncertainty, and confusion. The rapid shift to remote work over the last 12 months has seen a corresponding explosion of phishing and man-in-the-middle type attacks.

As we feel the loss of control in the security of our systems and the information we use, it’s critical for organisations to re-establish trust with users in this increasingly decentralised work environment.

“Strong, phishing-resistant two-factor authentication (2FA) or multi-factor authentication (MFA) needs to be included in an organisation’s security infrastructure.”

With this shift to remote work, a lot more emphasis is being placed on the end-user to follow security best practice. But organisations cannot solely rely on their users to recognise and prevent account takeover attacks – employee education and proper training aren’t enough.

Strong, phishing-resistant two-factor authentication (2FA) or multi-factor authentication (MFA) needs to be included in an organisation’s security infrastructure.

Having strong authentication options, like security keys, are the most effective method when it comes to combating phishing and man-in-the-middle attacks.

AR: Why are passwords no longer enough as a form of secure authentication?

JC: The world has moved on and organisations cannot afford to rely only on passwords or even basic MFA to protect against commonly known basic social engineering attacks.

Passwords are ineffective against modern phishing attacks and best practices require that they are unique and complex. This makes them far more difficult to use and remember, resulting in users reusing passwords everywhere.

As a result, 81% of data breaches are due to weak or stolen passwords (Verizon, Data Breach Investigations Report, 2017) and the MITRE ATT&CK®  framework documents a variety of techniques that adversaries use to steal account names and passwords.

Security threats and attacks have evolved, while password hygiene defences have stayed stagnant, meaning organisations need to either use something additional to a password (2FA), or they need to replace passwords entirely (passwordless).

AR: For organisations considering a move to a passwordless strategy – how would the CISO know the right option to choose?

JC: In order to remove passwords, we have to remember why passwords exist in the first place and why they’re still used everywhere, despite offering weak security and a poor user experience.

Ultimately, it comes down to three powerful capabilities: portability, interoperability, and backwards compatibility.

Passwords allow users to access any site, on any device, from any location, and no matter what, it never changes the user experience.

To effectively solve the password problem, we must provide an alternative solution that is equally portable, interoperable, and backwards compatible in addition to being more secure. So, what should you choose?

A lot of the passwordless technology stacks on the market today have a mix of security, usability and scalability trade-offs. For example, something like an email magic link may offer a simple user experience but it is still phishable and doesn’t scale across all the applications in an enterprise (doesn’t work well to login to a computer for example).

“To effectively solve the password problem, we must provide an alternative solution that is equally portable, interoperable, and backwards compatible – in addition to being more secure.”

At Yubico, the way we look at solving the password problem is through an open authentication standard – FIDO2 and WebAuthn – the standard allows for interoperability at scale.

Passwordless authentication can only be solved at scale, with strong phishing-resistant security, and through a seamless user experience that works natively across all devices, apps and browsers.

In addition, FIDO2 and WebAuthn open standards allow for that consistent login experience across any service or application.

Over the past two years, FIDO2 and WebAuthn passwordless support has been adopted by several leading cloud services and all major platforms and browsers. But it’s important to understand that the passwordless process for organisations is a journey, not an overnight transition.

This transitory period is what the YubiKey was designed for – to be able to meet organisations right where they are and evolve with their security requirements and infrastructure.

YubiKeys are designed to support the broadest set of security protocols to bridge the gap from legacy to modern authentication.

Webinar: A guide to deploying passwordless authentication

Webinar: A guide to deploying passwordless authentication

Passwords simply don’t cut it anymore – organisations need to develop stronger authentication without compromising the user experience. Watch now to discover:

  • How (and why) passwordless solutions work
  • Key steps to consider on your passwordless journey
  • Demos of Microsoft's passwordless tools in action
Watch now

AR: How does passwordless work to reduce security threats and save costs for a business?

JC: There are three factors – and their associated cost implications – that must be calculated when deploying MFA enterprise-wide:

  • Security
  • Usability
  • Scalability

As described above, FIDO2 and WebAuthn standards-based passwordless solutions deliver on all three.

According to IBM, the average cost of a data breach in 2020 was $8.64 million in the US ($3.86 million globally). And that’s not counting the cost in lost revenue of a reputational hit.

FIDO2 and WebAuthn replace static passwords and shared secrets with phishing-resistant public key cryptography. Not only does this significantly reduce the risk of a data breach, but enterprises can also eliminate the overhead costs associated with password management.

For organisations like Microsoft, password resets can cost upwards of 12 million dollars a month!

When thinking about usability, a poor experience will not only cause employees to be less productive, but it will also make them more likely to shun or circumvent the process – all of which are expensive outcomes.

FIDO2 and WebAuthn deliver an elegant user experience with single-gesture actions (via security keys or biometrics) that are reported as being up to four times faster than other MFA methods (Google security key research). This can significantly increase workforce productivity.

Lastly, when considering a company-wide authentication solution, it’s important to consider how scalable and interoperable it is in various environments, and with different devices and business applications.

For example, would an MFA or passwordless solution work across all situations in your organisation? It should work easily in the office environment and on all company managed devices, but have you considered other scenarios:

  • Consistently securing BYOD?
  • Easy, secure sign-in options for warehouse, shop floor or logistics workers?
  • Workers on shared terminals and devices?
  • And more…

If you select a standards-based passwordless or MFA solution that works across the board, independently of mobile connectivity, and with a seamless user experience, you can reduce the costs and complexities associated with managing several different authentication mechanisms.

AR: Looking towards the next 5-10 years, what excites you about the future of passwordless, and what should business leaders be looking out for?

JC: At the end of the day, we want to move away from passwords simply because they’re no longer a reliable way to prevent credential theft including basic phishing attacks.

Passwordless, for most people, is about achieving a frictionless login experience that provides a very simple, easy to understand, and user-friendly interaction with the service – that’s the goal.

We are in a very exciting time where the WebAuthn and FIDO2 open standards are finally here in all modern operating systems and browsers, and now service providers and application developers have an opportunity to start implementing this new experience.

Hopefully, over the next 5-10 years we see greater adoption of passwordless and stronger phishing-resistance authentication in general.

AR: What’s the next big thing coming down the pipeline from the Yubico/Microsoft passwordless partnership?

JC: Yubico and Microsoft spearheaded the journey to passwordless authentication nearly five years ago when building the first working reference designs for the FIDO2 standard and we’ve recently brought a lot of this work to fruition with some exciting announcements.

As of March 2021, Microsoft Azure AD is generally available for passwordless login, enabling admins to leverage a passwordless login flow for their users with a variety of authentication options including Windows Hello, Microsoft Authenticator App, and FIDO2 security keys, like YubiKeys.

We’ve also expanded our partnership with Microsoft AccountGuard to deliver YubiKeys, free of cost, to high-profile and high-risk organisations.

Microsoft has been an important player in the journey to passwordless authentication and a valuable partner to Yubico. We’ll continue to work and innovate together to improve passwordless options for individuals and enterprises and ultimately make security simpler and more accessible across Microsoft ecosystems.

Key takeaways

  • Phishing attacks are on the rise – and should be a key concern for organisations without modern authentication processes.
  • Passwordless makes the authentication experience simple and scalable for both the organisation and the end user.
  • If you're looking to go passwordless – choose solutions based on the FIDO2 standard for maximum coverage.
Want more great security content? Subscribe to the ThirdSpace mailing list!

Want more great security content? Subscribe to the ThirdSpace mailing list!

Keep your finger on the pulse of security and Microsoft technology. Submit your business email to get the latest content and event invites straight to your inbox.

Next steps

Interested in a Passwordless Proof of Concept?

Improve your end user experience and security by getting on the path to passwordless. A proof of concept (PoC) can help you:

  • Better understand how passwordless technologies will benefit your environment
  • See what solutions are available – and arrange a demonstration to see for yourself
  • Take the first steps in creating a roadmap to remove passwords in your organisation
Download POC information

About Alastair Rees

Head of Alliances and Marketing

Al has been in the IT industry for 20 years and is still excited by the pace of change and technological innovation that steers our personal and professional lives. Al’s role as alliances and...

READ AUTHOR'S FULL BIO

You may also like...

Blog

Enabling the ‘Flexible Normal’: The secret formula to future-proof your productivity

Blog

What is Microsoft modern management – and how can it help you overcome your MDM challenges?

Blog

How to build a strong culture with a remote team: Tips and techniques to keep staff engaged and happy

Recent Blog Articles

View All
Related topics

Webinar: A guide to deploying passwordless

Passwords don’t cut it anymore – find out how (and why) you should leave them behind.

Watch now

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.