Podcast transcript: Going passwordless

​​This automatically-generated transcript is taken from the IT Pro Podcast episode ‘Going passwordless'. We apologise for any errors.

Rory Bathgate

Hi, I'm Rory Bathgate.

Jane McCallion

And I'm Jane McCallion

Rory

And you're listening to the IT Pro Podcast, where this week we're discussing passwordless security.

Jane

Good password hygiene is one of the most important factors in endpoint security. If passwords are managed improperly, threat actors can access critical systems, and the use of weak or recycled passwords continues to be a problem even amongst IT professionals.

Rory

In place of legacy systems such as one time passcodes sent via SMS, groups like the FIDO Alliance and World Wide Web Consortium are working to make passwords a thing of the past.

Jane

Today, we're speaking to Richard Meeus, EMEA director of security & technology strategy for Akamai Technologies, to discuss the solutions that can enable more secure sign ons, and how the sector is handling this change. Richard, thank you for joining us.

Richard Meeus

Thank you very much, delighted to be here.

Jane

So everyone's been using passwords on their computers for decades. How come now they're being called insecure?

Richard

Well, I don't think it's now that they're being thought of as being insecure, I think they've been insecure for a long time. I mean, passwords have been utilised as an authentication mechanism for centuries. And it's always been fairly trivial to find out what they were. What we've been doing recently is with a plethora of websites and services, especially after the pandemic that everybody went online. Everybody reused the same passwords. People, humans, users we're rubbish at passwords, we have a limited capacity to remember passwords. And therefore we tend to use the same one repeatedly. Or we just try and be very clever and add a ‘1’ to the end, to try and make it uncrackable. And because of this, the criminals know this, the criminals know that we are bad with passwords, and we just use something like our pet's name or something like that. And it's relatively easy for people to get the passwords or, as most commonly happens, an organisation will be breached and their password and username database will be leaked out onto the internet. And then, those usernames and passwords are reused against websites all over the planet. And if you look at some of the database repositories, the legitimate repositories which are used for you to see if you have had your username and password put out onto the internet, there's about 10 million — 10 billion sorry, username and password combinations in there. That's a lot more than the internet-connected population. In fact, it's about four times more than the internet connected population. So there's a good chance there's a criminal somewhere who has your username and your password, and is trying them on a number of websites. Right now. What we want to do is move to a situation where that risk is mitigated to a certain degree.

Rory

With this risk of reusing passwords, certainly, or generating weak passwords. I know that a lot of businesses rely on things like password managers, can those be continued to be relied upon by businesses?

Richard

I think password managers, as well as with organisations looking to protect their users, it's important that password managers are used properly. A password manager is a great tool, I use one for my home business use for creating complex passwords, complex unique passwords. So I don't know what my passwords are, because they are a random bunch of 25 alphanumeric and special characters. I have no idea what they are. And the password manager remembers that, so every single asset that I talk to has a unique password. Password managers, I think, are very useful especially in the short term and within enterprises. It's not so great for end users because the vulnerable people in society, and people who are not familiar with technology, may find them quite difficult to use. But in enterprises they're certainly very useful because it allows you to create complex, distinct, unique user passwords for every single application that you go to. My passwords are often 25 characters long and a stream of unrecognisable characters, and numbers, and estimation marks, and question marks, and special characters that will be impossible to guess or impossible to do a brute force hack upon. So I think they definitely have a position, especially in the enterprise.

Jane

I mean, Richard, once again, I also use password managers. Are there risks associated with those? Recently we have seen LastPass, breached. And every time I see something like that my heart goes in my mouth. And then you realise, actually, your passwords are typically safe. But is there any kind of real chance that either the database itself could be breached particularly say, if you're reusing password for them? Or something a bit more sophisticated than that?

Richard

Well, I think a lot of the time, there's always been that concern about “if I put all my eggs in one basket, is that creating more of a risk? I think that's been the typical response to people not wanting to use password managers. But I think when you actually look at the security that is around the actual passwords, and how they're stored and how they're utilised, I think that that overweighs any of that concern about the risk about having all your passwords in one basket, or eggs in one basket. So I don't think there's a chance that if you, people do use them, I think they are very good, they're very useful. It again, outweighs the risk of just having very simple passwords that you can try to remember.

Jane

Yeah.

Rory

So in response to this, to focus on passwordless security as an option. When someone says passwordless security, I mainly think of biometric security, fingerprints, facial recognition. Is this the most promising avenue for this technology? And what are some of the other methods that are in place?

Richard

Yeah, well I mean the concept of security authentication has always been based around sort of one of three concepts. So there's something you know, which is a password, something you are, which is your biometric. So use your face print or your thumbprint, or something like that. Or something you have, which could be a USB token, or something that you can punch numbers into as a handheld device. So one of those three things, and we've relied upon the something you know, predominantly, which is the password. And we tend to use the something you have, like the USB key, or the something you are like the biometrics as an additional level and commonly called this is like two factor or multi factor authentication. So that what the concept is of going passwordless, is actually shifting away from using passwords as the primary method of authentication. And say, why do we need to use passwords as a primary, when we can use one of the other two, such as having a hardware device or using biometrics to do that first part of authentication? Obviously, there are many benefits to using the hardware device, or your thumbprint, or your face print. Because they're not likely to have the same level of simplicity around them. You know, it's not going to be quite as simple as password 123, when you're talking about your thumbprint, so there's a lot of sort of intrinsic benefit to that already.

Jane

I mean, when we're talking about this, we've sort of talked to him a little bit. When we talk about passwords you're speaking about moving the second part of two factor authentication to the front, the something you have, the something you are. Are we talking about getting rid of passwords completely, or do they become the second part of this 2FA? Or is it going to be my face and my token?

Richard

Passwords can still be used, but I would suggest that they are taken away largely completely, because they prove that they can't really be utilised effectively or securely. Certainly, if you have a three factor authentication it’s often used when you're going into very secure facilities. Where you have to sort of take in your access card, do a thumbprint, and then you have to type a PIN code in there. And then the PIN code would be sort of synonymous with your normal password. So that sort of three factor authentication will still be relevant in a lot of cases. But I think the concept of using a password to log on to a website will eventually go away, because it's not an effective way to access that level and proportionate that level risk.

Rory

And when you're talking about, I guess, in some cases this is consumers would be able to use, say a passkey, a physical passkey to verify their identity on a multitude of different accounts. In an enterprise model, could this be hard to, this specific something you have, could that be hard to implement in that if you left the company, you'd have to return what you had. It would potentially be harder than do changing a password?

Richard

Absolutely, I think the same thing you have part is an interesting concept about what it can actually be. And something, because I think everybody's sort of familiar with the, the old dongles which have the sort of rotating password pass key on them, that have been around from people like RSA for many, many years. And if you look in your desk drawer, you'll probably find two or three of them where the batteries died that you've had from many years ago. And that's not an unusual situation. And so there is an overhead to managing all those additional keys, and people will forget them, people will lose them. So there is an additional overhead in terms of that. So ideally, you want to try and use something that you already have, and you're never likely to let go of. And that's probably something like a mobile phone. And you can use a mobile phone as the something you have component. And it also allows you to do the something you are component because it allows you to do, especially with the modern smartphones, the biometrics and things like facial recognition and fingerprint recognition.

Jane

And I suppose if you've got company provided phones, then it's as easy as just returning the phone or remotely wiping it or any of that kind of thing if somebody leaves the company but they are, for whatever reason, not returning the phone.

Richard

Yes, if you're provided a company phone you will normally have some sort of MDM, some mobile device management software on the phone. Whereas as soon as they leave the company or as soon as the employment is terminated, then it's a question of just hitting a button on the central console and it would remove any of those components.

Jane

Yeah, I've thought of all kinds of nefarious things for employees to do. I think most of us more inclined to sort of lose our phone, on a train or whatever as well.

Richard

Yeah,absolutely. But also remembering that without the knowledge of where you're going, and what you're going to, because you still have to get the thumbprint to actually authenticate because it's part of that you would have something you have, something you are. Smartphones make it very easy to do two factor authentication, by taking the biometrics and the something you have. So that gives you the two factor based on that. So if you do lose your phone, they may be able to guess the pin number or the swipe pattern you have to get into the phone. But it's unlikely then they'll have the biometrics to actually get through the next level, to get on to the corporate assets as required.

Jane

Sure.

Rory

Through things like FIDO, there's been talks — I know that some manufacturers at Google Apple, Microsoft, have been in talks — to standardise this kind of technology that you're talking about. So that regardless of the hardware you were using, like the standardised keys across either your business interactions, or on a consumer basis across all of your different accounts, do you think a unified approach like that will be necessary to avoid there being a different kind of tool sprawl for businesses and consumers in the future where they're having to oh, you know, “which passkey am I going to be doing through my phone?”

Richard

I think there's going to be an argument for that. Not quite sure what things are going to happen in the short term, but it remains to be seen. I do think the work that FIDO is doing to promote easier and more secure access online is something that will be followed by more and more organisations. The current iteration, which is FIDO2, so fast identity online version two, even goes so far as to provide solutions that allow you to do phish proof MFA, because that is also a problem with MFA. It's not 100%. It's a lot better than not having multi factor authentication. But MFA is not 100%, and with the next generation, which is FIDO2, it will be phish proof. Again, it's never going to be 100%, but it's going to be a lot closer to where we want it to be.

Jane

So Richard, you've mentioned, FIDO2 briefly there. Could you tell us a bit more sort of what that's about?

Richard

Yeah, so FIDO2 is a methodology to make MFA sort of even better, because surprisingly, MFA doesn't solve all problems. You know, we think that it's going to address all of our authentication issues, but it doesn't and there's been several organisations that have been breached fairly publicly. So a very well known video game manufacturer, a well known taxi company, a global taxi company has recently been breached by what's called an MFA bypass. And an MFA bypass technique basically means that the device is talking to the website or the application, and the device that is doing the multi factor authentication are not linked. So this means that if you have stolen credentials, you can put those into the asset, put those into the website, the website will respond with an MFA challenge. And the attackers realise that the MFA challenge is going to be sent to the user, and they will try and persuade them to actually accept the challenge. And it's surprisingly easy to do that, with things like push MFA challenges. If you start sending people that at 3am in the morning, it's remarkable how quickly people will just click on ‘accept’, rather than have to listen to the bing, bing, bing, bing, bing, bing, constantly being reminded in the middle of the night. And this is what's happened to many, many organisations, is that because the device that’s making the request to the asset and the device are not linked, you can get this what's called push MFA or MFA bypass. So what FIDO2 wants to do is to locally connect the devices making the request to the origin and your external device. Now, you can do this through a USB key, plug the USB key into your device, they're now locally linked. Or you can do it through NFC, or you can do it as we do with Akamai, you can link them together through cryptographic keys. So my phone and my laptop are cryptographically linked, which basically means that the MFA is not valid unless it comes from my laptop. So if my credentials are stolen, and somebody tries to log in in another part of the world, and then tries to do a push MFA exertion on me, it won't even happen because the request has to come from my laptop. And this is what FIDO2 is doing, it’s ensuring that local MFA connectivity before it actually goes on to the next stage. And by doing this, it gets round a lot of the big MFA bypasses that have happened this year.

Jane

So this all sounds really great. And as a consumer, I can see myself adopting it. I already have, I use my thumb on my phone, people use their faces on their phone. And, you know, really consumers can turn on a penny when it comes to adopting new technology, anything like that. For businesses, it can be a little bit more difficult, especially if there's some kind of integration that they need to do with legacy systems. So how quickly can that be done? I mean, is it a problem? Am I throwing up a problem where one doesn't exist? But if I'm not, how can this be managed, and how quickly can things change?

Richard

I think with enterprise, it'll be a lot easier than it will be for consumers. For two different reasons. The main reason for consumers is that there will be a long tail of users who, for want of a better word, maybe a sort of Luddite about adopting the new technology. There are many people who don't want to have a smartphone with biometric controls on them for whatever reason. So for a service, such as public services, public sector, where they have to provide a fully inclusive service, there's gonna be a long tail of people there who won't fit into the parameters where you can do that full technology, but for multi factor authentication using biometrics or smartphone, so there will have to be solutions there to cater for those people. But with the enterprise, you have a lot more control. And you can certainly start linking all of your assets to talk to a central identity provider, be it Active Directory or some other form. And once you have authenticated with your main IDP, your main identity provider that can provide authentication tokens to every single other device within your estate, meaning once you're logged in, you're logged in across your estate. And that identity is protected by authentication through multifactor.

Jane

So the other way around to what you find quite often then, is that for businesses actually, this is quite easy. I mean, are there any sort of key hurdles that might hold up passwordless security in businesses or is it really just as easy as kind of going, “right this is our, you know, the method that we do now internally, at least. And, and off we go”?

Richard

There's always going to be some legacy applications that don't have the ability to use authentication. So there's a functionalities like OAuth, which allows applications to be authenticated elsewhere. If they don't have the functionality to have that capability, then you're going to have to have another way of authenticating with those legacy applications. So it's not necessarily going to be applicable across the board. But most modern organisations will have the facility to deploy the majority of their applications through that one password, or one authentication process, and then being able to pass that assertion through to all the relevant applications.

Rory

Do you think that implementing a system like this might also help with oversight of who has access to which systems? Because currently, obviously with passwords, it's very easy within an organisation for someone to ping a password across on a Google chat to someone who maybe shouldn't have access to, to a back end system. So using authenticators might also improve observability across the system?

Richard

I think there's a potential for that, I think that where that particular area’s going is more into is looking at the authorisation component. So with identity, you’ve got the identification, which is the username, you've got the authorisation. Sorry, the authentication, which is the something you are, something you have, something you are. And then there's the authorisation component, and authorisation is something that's being looked at when you look at things like zero-trust network access, which is a way of giving users access just to applications that they need. So it's really sort of going down heavy on lease privilege. This is a really good way to ensure that only the users authorised to access an application, get that level of access. Which means that anybody else does not have that level of access. So, if you gave somebody else a password, you'd have to have the username and have the password, but they still wouldn't be authorised, they still wouldn't physically be able to get to that particular asset. And I think that's why a lot of organisations are looking into it. Because I know zero trust is a word that bandied around a lot with, with wanton carelessness, sometimes, but it fundamentally comes down to lease privilege, which is something that IT professionals have been familiar with for many, many years. And that's where it's trying to get to, if you don't have the right identity, authentication and authorisation, you can't actually get to that application.

Jane

So Richard, if the worst does happen, and a business is hit by a cyberattack, can using a passwordless solution help minimise the impact? Or does it just minimise the risk?

Richard

That's a really good question. I think initially, it minimises the risk. Because I think if you, there was a report I think in the Verizon data breach incident report last year, that credential vulnerabilities were responsible for 84% of all breaches. So if you can get to addressing that vulnerability, that reduces the risk significantly of having a breach. So I think that's the first aspect. Once somebody has got inside your organisation, then absolutely, having good identity controls is in place, but it's a little bit late at that point, you then need to be looking at other security elements to be able to protect your organisation. And that can be through things like zero trust, network access, or micro segmentation to throw another technology into the mix to prevent them moving laterally through your organisation. But I think this is where passwords can be used, especially within the enterprise as part of a layered security model of trying to reduce the risk at all levels, reduce the level at authentication time, reduce the risk at connection time, whether connecting via IP or just the application layer, and then reducing the risk of moving throughout an organisation when deployed as part of a managed strategy, then you're able to reduce the risk at all levels as best as possible.

Jane

Yeah, and I think you've kind of hit on something important there really, which is whether this is passwordless or really any other kind of security technology, or any technology, that it's not a panacea, it's not a cure-all, it has to be used as part of a wider security strategy. Whether that's training or like you say, other technologies that can help the progress or at least to slow the progress of anybody who's staging an attack. Is that a fair observation?

Richard

Absolutely. I think that there aren’t many things that as security professionals we can do, that actually makes things easier for end users. Normally, we are seen as the Department of No, the Fun Police. So I think that anything that we can do within security that actually makes lives easier for end users, and makes them more secure, is a good thing. And reducing passwords, reducing the use of passwords is a good thing, because nobody likes them. Nobody likes them, nobody likes trying to have to remember them. There's always a challenge, there’s always some times you forget, or whatever. It's a problem. It's a massive security risk. So getting rid of that pain point from users would be a boon I would say.

Rory

So you think that there's real potential for this to improve, maybe, productivity within the workforces? Or at least improve the use of access for vital systems within workforces?

Richard

Absolutely. I think when you look at most organisations where you have, you know, probably thousands of applications within an organisation, although most users will only have access or need to use 10 or 20 of them. The ability to reduce the access to just the applications you need, and the ability to have to worry about a password is fantastic. At Akamai we've been passwordless for many years now. So I don't use a password to log on. I don't use a password to access applications, it's just all done through passwordless technology. And that makes it a lot easier for me not having to worry about, “oh, I need to access that particular system. Where is it located? What password do I need?” All that, it's a lot easier to use? And yes, it's anything that gets rid of that, “oh, what's the password for that application that I haven't used for two months?” Anything gets around that problem, which everybody has, if you can get if you can solve it, it's bound to help all sorts of users.

Jane

So Richard, at Akamai you are ahead of the curve. But how far away do you think we are from universal adoption of this kind of security across businesses?

Richard

I think that's a very difficult question. Because there are many companies and many verticals that are on all sorts of that journey, all different areas of the passwordless adoption journey. I think people will want to go there because the benefits are manifold. But there is always going to be an issue with inclusivity. Because you have to make sure that everybody is catered for. And if you can't cater to everybody, then there's always going to be an issue. So in the consumer space, I think it's going to be utilised to enable users, I still think you're going to have to have passwords for inclusivity. But if you're using it in the consumer space, and you want to get access to all of your favourite music sites, or TV sites, or shopping sites without having to remember a password all the time, I think people are going to embrace that. And that it will be seen as a benefit not only for the consumers, but also the vendors as well. In the enterprise space, I think that organisations will want to go down this level to a certain degree, I think there's always going to be legacy applications that won't suit that. Or the infrastructure will not benefit it as a whole. But I think overall, it's certainly a methodology that will be broadly adapted. The big vendors, as you mentioned at the beginning, are doing this. Microsoft has things like Microsoft Hello, which allows you to do passwordless authentication. It's something that's being adopted through many different vectors, so it will increase. Am I going to put a date on it and say you have no more passwords in five years. That’s a crystal ball I would love to have, but I couldn't say that.

Jane

No fun, no fun.

Rory

Well, Richard, thank you so much for being on the show.

Richard

Thank you Rory, thank you Jane. It's been a pleasure. Thank you very much indeed for having me.

Jane

Thank you. As always, you can find links to all of the topics we've spoken about today in the show notes and even more on our website at itpro.co.uk

Rory

You can also follow us on social media, as well as subscribe to our daily newsletter. Don't forget to subscribe to the IT Pro podcast wherever you find podcasts. And if you're enjoying the show, leave us a rating and a review

Jane

I will be back next week with more from the world of it but until then goodbye.

Rory

Goodbye