We speak to Yubico's CSO about the problem with passwords, different modern authentication solutions, and how to make passwordless a success in your organisation.
With over 20 years in the enterprise mobility space, Jerrod Chong brings a wealth of experience in modern authentication and open standards passwordless technologies that are key to secure remote working solutions.
A regular on the conference circuit, Jerrod has delivered numerous presentations on modern authentication and open standards at leading IT Security conferences, including Black Hat, Identiverse, Gartner IAM, and many others.
I caught up with Jerrod to get his unique insight on the current challenges with passwords, and what he believes the future holds for passwordless authentication technologies.
Al Rees: Hi Jerrod, thanks for taking the time to talk with us. With the significant rise in remote working over the last 12 months, what do you feel organisations and security teams should be most concerned about?
Jerrod Chong: Hackers capitalise off of fear, uncertainty, and confusion. The rapid shift to remote work over the last 12 months has seen a corresponding explosion of phishing and man-in-the-middle type attacks.
As we feel the loss of control in the security of our systems and the information we use, it’s critical for organisations to re-establish trust with users in this increasingly decentralised work environment.
“Strong, phishing-resistant two-factor authentication (2FA) or multi-factor authentication (MFA) needs to be included in an organisation’s security infrastructure.”
With this shift to remote work, a lot more emphasis is being placed on the end-user to follow security best practice. But organisations cannot solely rely on their users to recognise and prevent account takeover attacks – employee education and proper training aren’t enough.
Strong, phishing-resistant two-factor authentication (2FA) or multi-factor authentication (MFA) needs to be included in an organisation’s security infrastructure.
Having strong authentication options, like security keys, are the most effective method when it comes to combating phishing and man-in-the-middle attacks.
AR: Why are passwords no longer enough as a form of secure authentication?
JC: The world has moved on and organisations cannot afford to rely only on passwords or even basic MFA to protect against commonly known basic social engineering attacks.
Passwords are ineffective against modern phishing attacks and best practices require that they are unique and complex. This makes them far more difficult to use and remember, resulting in users reusing passwords everywhere.
As a result, 81% of data breaches are due to weak or stolen passwords (Verizon, Data Breach Investigations Report, 2017) and the MITRE ATT&CK® framework documents a variety of techniques that adversaries use to steal account names and passwords.
Security threats and attacks have evolved, while password hygiene defences have stayed stagnant, meaning organisations need to either use something additional to a password (2FA), or they need to replace passwords entirely (passwordless).
AR: For organisations considering a move to a passwordless strategy – how would the CISO know the right option to choose?
JC: In order to remove passwords, we have to remember why passwords exist in the first place and why they’re still used everywhere, despite offering weak security and a poor user experience.
Ultimately, it comes down to three powerful capabilities: portability, interoperability, and backwards compatibility.
Passwords allow users to access any site, on any device, from any location, and no matter what, it never changes the user experience.
To effectively solve the password problem, we must provide an alternative solution that is equally portable, interoperable, and backwards compatible in addition to being more secure. So, what should you choose?
A lot of the passwordless technology stacks on the market today have a mix of security, usability and scalability trade-offs. For example, something like an email magic link may offer a simple user experience but it is still phishable and doesn’t scale across all the applications in an enterprise (doesn’t work well to login to a computer for example).
“To effectively solve the password problem, we must provide an alternative solution that is equally portable, interoperable, and backwards compatible – in addition to being more secure.”
At Yubico, the way we look at solving the password problem is through an open authentication standard – FIDO2 and WebAuthn – the standard allows for interoperability at scale.
Passwordless authentication can only be solved at scale, with strong phishing-resistant security, and through a seamless user experience that works natively across all devices, apps and browsers.
In addition, FIDO2 and WebAuthn open standards allow for that consistent login experience across any service or application.
Over the past two years, FIDO2 and WebAuthn passwordless support has been adopted by several leading cloud services and all major platforms and browsers. But it’s important to understand that the passwordless process for organisations is a journey, not an overnight transition.
This transitory period is what the YubiKey was designed for – to be able to meet organisations right where they are and evolve with their security requirements and infrastructure.
YubiKeys are designed to support the broadest set of security protocols to bridge the gap from legacy to modern authentication.
Passwords simply don’t cut it anymore – organisations need to develop stronger authentication without compromising the user experience. Watch now to discover:
AR: How does passwordless work to reduce security threats and save costs for a business?
JC: There are three factors – and their associated cost implications – that must be calculated when deploying MFA enterprise-wide:
As described above, FIDO2 and WebAuthn standards-based passwordless solutions deliver on all three.
According to IBM, the average cost of a data breach in 2020 was $8.64 million in the US ($3.86 million globally). And that’s not counting the cost in lost revenue of a reputational hit.
FIDO2 and WebAuthn replace static passwords and shared secrets with phishing-resistant public key cryptography. Not only does this significantly reduce the risk of a data breach, but enterprises can also eliminate the overhead costs associated with password management.
For organisations like Microsoft, password resets can cost upwards of 12 million dollars a month!
When thinking about usability, a poor experience will not only cause employees to be less productive, but it will also make them more likely to shun or circumvent the process – all of which are expensive outcomes.
FIDO2 and WebAuthn deliver an elegant user experience with single-gesture actions (via security keys or biometrics) that are reported as being up to four times faster than other MFA methods (Google security key research). This can significantly increase workforce productivity.
Lastly, when considering a company-wide authentication solution, it’s important to consider how scalable and interoperable it is in various environments, and with different devices and business applications.
For example, would an MFA or passwordless solution work across all situations in your organisation? It should work easily in the office environment and on all company managed devices, but have you considered other scenarios:
If you select a standards-based passwordless or MFA solution that works across the board, independently of mobile connectivity, and with a seamless user experience, you can reduce the costs and complexities associated with managing several different authentication mechanisms.
AR: Looking towards the next 5-10 years, what excites you about the future of passwordless, and what should business leaders be looking out for?
JC: At the end of the day, we want to move away from passwords simply because they’re no longer a reliable way to prevent credential theft including basic phishing attacks.
Passwordless, for most people, is about achieving a frictionless login experience that provides a very simple, easy to understand, and user-friendly interaction with the service – that’s the goal.
We are in a very exciting time where the WebAuthn and FIDO2 open standards are finally here in all modern operating systems and browsers, and now service providers and application developers have an opportunity to start implementing this new experience.
Hopefully, over the next 5-10 years we see greater adoption of passwordless and stronger phishing-resistance authentication in general.
AR: What’s the next big thing coming down the pipeline from the Yubico/Microsoft passwordless partnership?
JC: Yubico and Microsoft spearheaded the journey to passwordless authentication nearly five years ago when building the first working reference designs for the FIDO2 standard and we’ve recently brought a lot of this work to fruition with some exciting announcements.
As of March 2021, Microsoft Azure AD is generally available for passwordless login, enabling admins to leverage a passwordless login flow for their users with a variety of authentication options including Windows Hello, Microsoft Authenticator App, and FIDO2 security keys, like YubiKeys.
We’ve also expanded our partnership with Microsoft AccountGuard to deliver YubiKeys, free of cost, to high-profile and high-risk organisations.
Microsoft has been an important player in the journey to passwordless authentication and a valuable partner to Yubico. We’ll continue to work and innovate together to improve passwordless options for individuals and enterprises and ultimately make security simpler and more accessible across Microsoft ecosystems.
Keep your finger on the pulse of security and Microsoft technology. Submit your business email to get the latest content and event invites straight to your inbox.
Interested in a Passwordless Proof of Concept?
Improve your end user experience and security by getting on the path to passwordless. A proof of concept (PoC) can help you:
Al has been in the IT industry for 20 years and is still excited by the pace of change and technological innovation that steers our personal and professional lives. Al’s role as alliances and...
READ AUTHOR'S FULL BIO
Passwords don’t cut it anymore – find out how (and why) you should leave them behind.Watch now
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.