Informal security chat with our host Reece Guida, Beyond Identity's CTO Jasson Casey, Product Evangelist Nelson Melo, and special guest Kevin Korte, President of Univision North America Inc., on moving away from passwords.

Transcription

Reece

Oh, hey there. It's me, Reece, the podcast lady host, and enterprise sales lady at Beyond Identity. I'm gathered in the office at the sacred podcast table with Jason again, and we're going to do an episode of course. Jasson, who are you? 

I always forget. 

Jasson

I'm not sure either. I'm Jasson. I'm the CTO here at Beyond Identity, and Reece always ensures that we have a start that looks like we're not organized. It's part of our thing. 

Reece

It's intentional and deliberate. That's right. And then Nelson, where are you? What are you doing? Why couldn't you come into the office today with us, huh? 

Nelson

Oh, man, busted. Yeah, I had a lot going on today and it's hard to focus sometimes with a lot of people around, so I stayed home. 

Reece

We'll let it slide this time. I'm sorry. It makes it... 

Jasson

I think you're burying the lead in that. Like, you have a very young one that you're on hook for co-parenting. 

Reece

That's right. 

Nelson

Yeah. 

Reece

Nelson is not only raising the next generation of children, but the next generation of technology as well. So, he's got a lot on his plate. And then there's a new presence among us, and his name is Kevin Korte. He is the president of Univention America. Kevin, what are you doing here? 

Tell us about yourself and then we'll go into the hot take. 

Kevin

What am I doing here? I'm not really sure. I hope you know, because then at least one of us does. Otherwise, I'm trying to convince people to care about their digital identity especially businesses. 

Reece

What a coincidence because we want businesses and people to care about their digital identities as well. So, I thought that today's hot take could be, you know, LastPass isn't the problem. And I want to talk about LastPass because I know so many people that are scared out of their minds. 

They've been loyal LastPass users for years. I used to be one too. I had to help people migrate off of it to other password managers and, you know, at the end of the day it feels kind of futile. Kevin, can you tell us what you think of that hot take, what you're seeing and how you feel about it? Tell us how you really feel. 

Kevin

Given that about half of Americans reuse their password from banking to social media, I don't think LastPass is a big problem. We really have to either get rid of passwords or we have to scare the crap out of people to not use the same password, not use passwords which are guessable, and not use passwords which I can buy right now on the black market for their email or for their identity. 

Reece

So we got two options there. I like option one better. No passwords ever. Not allowed. Even if the password is long, right? You know, you have 100 special characters. Actually in our internal Slack chat, one of my colleagues said that he was supporting his son as he moved away from LastPass to 1Password for their password manager. 

And his Xbox password in particular was like 119 characters long, right? You could send a machine on a mission to crack that password and it would take a longer time than Xbox123!, right? But at the end of the day, it can still be hacked. It can still be bought online if it is hacked. 

So, option one all the way, no more passwords. Kevin, when you talk to organizations about digital identity, how often does Passwordless come up? Or what do those conversations look like for you? 

Kevin

I think Passwordless with half the organizations, they aren't even there that they have like central identities. So, we are more often talking about things like single sign on so that you only have to enter the password once, and not five or six times during the day, or look at actually having a single password which then can be long, can be enforced, and really it's kind of a prerequisite for going passwordless. 

Because if you don't have one identity, you either have to have six or seven different tokens which no one really wants to use, or you'll go into question like, "Okay, how do I manage that? How do I get the users to accept it? How do I get users out of software if they lose their tokens?" So, really, it would be great to go to the step of no password, but I think as a country and as companies, we're not really there yet. 

Reece

Oh, that's a hot take Kevin. I think we agree to disagree on that one. Nelson or Jason, you want to talk about why we are there today for organizations that are looking to get rid of passwords? 

Jasson

I'll start with just saying we have 40 to 50 years experience trying to get people's behavior to change that shows us the behavioral change is either not possible or probably the hardest thing to do, and I do kind of wonder how much of this is trying to get the horse to run faster versus realizing we actually just need a different mode of transportation. 

I would nuance the argument a little bit like yes, corporations are behind the curve in terms of having a sort of centralized identity. Enterprises aren't but mid-market small business certainly is. With that said, the tools are available for them to actually centralize identity in a way that's very inexpensive through things like Google, G-Suite or work... I think they call it Workplace now or Workspace now. 

And in addition to that, like there is... so for those of you who don't know, there's this website called the SSO tax, and it's a name and shame list trying to, you know, companies don't really care about shame, but really trying to share shame companies that are charging extra for SSO integrations. This idea that proper security must be paid for and the product is not secured by default. 

With that said, I do think the advent of things like FIDO, FIDO2, harbor backed pass keys that my browser or physical tokens can anchor, might be a way of leapfrogging in front of SSOs and in front of the lack of SSO integration that exists in a lot of that mid-market and small business. This is still to play out, so I'm just thinking out loud. 

Maybe I'll be wrong once time turns over, but I have a hard time believing companies are going to charge extra for FIDO implementation. Or more specifically, I have a hard time believing they're going to charge extra for their enterprise users to use a FIDO key to log in versus to use a password to log in. Operationally, one is much simpler than the other. 

Turns out it's not passwords that's simpler. And from a security perspective, it provides a very large jump just like passwords are just fundamentally broken, right? And so, I don't know. Speculation, part hope, FIDO keys and those sorts of things represent a possible way of getting in front of the problem that SMBs and mid-market enterprises, for the most part, either don't have an SSO or don't integrate all of their apps into an SSO because they haven't bought that tier of product or service that supports SAML or OIDC integration. 

We've been trying to shame companies out of that for a while too, and some of them have relented and most of them have not. So, maybe we need to kind of jump over that. 

Kevin

As a problem with jumping over that is that, in my experience, a lot of companies have both the consumer product and the product for enterprises. So, you would require them to either adopt two different products or you would also need to get consumers to use things like YubiKey to logging in, which I think is a completely different mindset and different requirement for people, and I don't see that happening. 

Jasson

I don't think you have to go down the... Oh, go ahead Nelson. 

Nelson

That's an interesting observation because... And it's understandable that FIDO is so deeply conflated with YubiKeys but it's not the only way to use FIDO, right? In the newer term or more recently, Passkeys as an implementation has come up, operating systems are starting to come up with ways of dealing with cryptographic credentials from the web, from native implementations. 

So, is it a problem of forcing the user to use the form factor of a hardware key, or is it trying to help them understand that a shared secret is not the right authentication credential type, right? There's stronger, more secure ways to authenticate and now the form factor that takes is just that implementation detail. 

Jasson

I think you lose consumers at the phrase shared secret, right? 

Nelson

That's a good point. 

Jasson

They just want to log into stuff. They want to be able to log into stuff without the pain that they experience with passwords. And I totally agree like workplace enterprise is different than consumer. With that said, I double down on what Nelson said, FIDO Keys can be backed by hardware without requiring a YubiKey or even the consumer to understand what's going on. 

Any browser, any major browser that you deploy today will actually use the enclave in your laptop, in your desktop, or even in your phone to store a FIDO key if a site tries to create a FIDO key. 

Reece

Wait, wait, wait, Jason. The keys are in the computer? 

Jasson

Turns out the keys are in the computer. 

Reece

Oh my God. 

Jasson

But, yeah. So, YubiKey was really early on the scene, basically making this portable enclave, right? I can stick a physical key in my pocket that it serves as a metaphor that for, you know, the rest of the world, the people that aren't in tech understand, "Oh, I stick my key in the thing and it opens, or it lets me in. It lets me into service." 

But really all YubiKey did was take an enclave, mount a USB interface on it, and kind of support standard protocols to kind of interact with YubiKey. It turns out the world has moved on since YubiKey introduced this about four years ago. And now operating systems, browsers and key wallets support these protocols and actually will lever the enclaves that come native in almost everyone's hardware to do a similar thing. 

Kevin

But then you're kind of back at the LastPass problem. I'm uploading my wallet or I'm securing my wallet or my native key with four digit pass phrase or four character pass phrase, and then... 

Jasson

Actually that's not true. So, here's the difference, right? With a password-based system, I have a centralization of a secret, right? With a FIDO-based system, I don't actually have that centralization. And I'm not guaranteed to have a knowledge-based factor to unlock that private key, right? So, when I have an Enclave and I create a key, I can create guards on those keys and those guards determine when it's okay to use that key for signing, right? 

I could have a null guard, I could have a PIN-based guard, I could have a biometric guard. I could even chain those things together. In the scenario that you called out though, the PIN guard, the PIN never leaves the local device, which is completely different than a password. A password, the PIN literally, or the password must travel. 

It must touch all of these systems. When you touch a system, you touch memory. When you touch memory, you pollute the cache. When you run out of memory, you get to swap the disc. So you have this incredible surface area expansion that happens with passwords. But, a PIN-based credential that's managed in an enclave, it has a blast radius that's essentially equivalent to the local device yourself. 

So, the threat vector there is the adversary has a key logger to log my PIN, and the adversary can physically steal the device I'm actually working from. That's a much, much higher bar than what we've been talking about with password there. And then of course, you also don't have to go that way, you could use biometrics as well. 

Reece

Kevin, are some of the organizations you are talking to becoming more interested in biometric-based authentication? I would suspect that just because of, you know, the devices we use every day, there's a biometric component. I'm curious to know what kind of trends you are seeing in the authentication space. 

Kevin

Biometrics is very interesting in the sense of we've seen it come up, we've seen problems occur and now it's kind of flattening out and you are kind of over the early adopter phases. We've seen slow growth again, and I think we've seen it especially in healthcare where they... 

Actually, if we talk about it's a YubiKey where they get away from the key card, and just wanted to use actually the facial picture. So, not so much the fingerprint because you don't want to take off the gloves in the hospital, but, yeah, the camera as an identifier, which is especially not just so much from a security perspective, but from a sanitary perspective. 

You don't have to take gloves off, you don't have to swipe a key card which goes everywhere and which no one really ever sanitizes, versus your face, you hopefully wash it and... 

Reece

Hopefully. 

Kevin

Yeah. And yes, masks are problems there, but there are implementations now which really take scans of your only the upper part, so where your eyes are. And it's really interesting to see that that gives a computer enough information to separate people, but apparently it does. 

Reece

So, what trends do you see folding out this year? We're at the start of 2023. We just came off of a lot of breaches. One good example you just mentioned was facial recognition in the use case of somebody wearing a mask. I feel like COVID really encouraged technologists to make that possible. Before we wrap, maybe you could leave us with a prediction for the year ahead now that we've had a fun conversation about passwordless and some of the challenges around that. 

Reece

I think we'll see, especially with passkey, as Jasson mentioned, the first implementations, the first rises of users and the first downfalls, the first problems in the implementations, and hopefully we'll see the trend picking up, but that might be more 2024 than this year. 

Otherwise, I think we'll get to the point where people are scared to just use passwords and see more multifactor authentication and maybe even get away from using SMS for that. Because cloning SMS has become a problem, at least for financial institutes. 

Jasson

Everybody, cross their fingers. 

Nelson

Yeah, I sure hope we move away from SMS. Yeah, right? We all want that. 

Kevin

As with many cybersecurity, yeah. Let's hope for it. 

Reece

Well, Kevin, thank you for joining us all the way from Germany. It's been a pleasure getting to know you and, you know, speculating on how we think authentication is going to improve and change. And to our audience, thank you for joining another fun episode with us. Stay tuned for the next hot take. Dun, dun, dun. And don't forget to like and subscribe please. 

It'll hurt my feelings if you don't.