Moving Beyond Passwords
0:00:03.4 Rich Gibsen: Alright, good morning. Good afternoon, everyone, and welcome to the Moving Beyond Passwords webinar. My name is Rich Gibsen, I am the Vice President of Product Management at SecureAuth. I am going to take you through a presentation today to talk about moving beyond passwords. And some tips and tricks for your organization, how you can think about retiring the password. It’s especially appropriate today, on World Password Day. So hopefully, this is meaningful and you get some value out of it. So let’s go through the agenda real quick. We’re going to start with… We always start with the problem statement. What is the problem? I think everybody knows. But we’ll start there. We’re gonna talk about the benefits of moving beyond passwords. I’m gonna take you through an approach that we have and that we’re thinking about, we’re talking with our customers, and then we’ll spend a little bit of time on the considerations as an organization.
0:01:09.8 RG: This is a very… I think it’s a very nuanced thing to think about, and there’s some considerations that will help you as you think about getting rid of passwords in your organization and then we will wrap up. And at the end, I’ll leave some contact details if you’d like further discussions on the content that you see here today about moving beyond passwords. So with that, we’re gonna start with the problem. And it’s interesting, because as I thought about putting this together and I thought about… And we’ve all been on webinars with a lot of stats, a lot of statistics, the scare tactics of what is the problem. I thought about what this really means. And so I’ve got a small story I’m gonna segue into around that I think is gonna perfectly illustrate the problem.
0:02:04.0 RG: I have been doing taxes for a number of people for a number of years, and there’s three or four people that have done their taxes for the last 20 to 25 years. So every year we have the same routine, along about end of January, beginning of February, I make a phone call. Do you have everything ready? Yes, we’re ready. I show up at their house. Now I install the software and we get the taxes done. In the old days, it was very easy, it was all paper-based, and so I would do that. Last year, and it’s been a couple of years, there’s one person, we’ll call him Rob, who I’ve been doing taxes with for 25 years now. He lives about 40 miles away from me, so it’s a long haul. We have to coordinate his schedule, his wife’s schedule, his kids’ soccer schedules, my schedule. Everybody gets aligned and we figure out our time frame and we go to do taxes.
0:03:05.9 RG: And last year, I got out there. We got everything ready and the tax software that I use signs into all of the bank systems, all of his investment, online investment applications and pulls down the data for taxes. And every year, we begin the dance. And the dance is, “Rob, do you remember the password for this investment account?” And he starts guessing. And we begin the guessing. And then we get a couple of guesses in and I say, “Call your wife.” The wife comes upstairs and she starts guessing, right? And then we look around in the office, “Did you write it down somewhere?” And then we lock ourselves out of the account. We try five times, we get locked out.
0:03:50.0 RG: And most of these accounts, because we have to do it on the weekend, most of the accounts have helpdesk only Monday through Friday, and so I have to make yet another trip out. So we do what we can, I leave, I come back. This year, I said, “We’re not gonna do that anymore. I don’t have the time, you don’t have the time.” And so what we did was… And this goes to the heart of the problem. This is why we’re gonna start with this. I’m in the industry, I’m in the business, and this is literally what we did. “Rob, we’re gonna reset these passwords. You’re going to email me your user name and your password for all of these accounts, so that next year when I come to do your taxes, I’ve got these,” because he only signs into these accounts once a year.
0:04:31.7 RG: And this is someone who does this for a living. And I was thinking about this last night as I thought about putting a webinar together, password and the complexity and the use case for users is highly confusing, frustrating. I can’t tell you how frustrated he gets, I get, his wife gets, as we try and figure this out every year. And we know we’re gonna do it every year, and every year we go through this. So I broke every code in my experience to do that, but I’ve got that. And this is the heart of the problem. Passwords are confusing, and I think all of us have stories just like that, that we can talk about. And again, that is expensive. So I think about the Charles Schwab and the Janus, and some of the other help desk, which I’m getting to know them. Every year I call and say, “Here, we’re calling on behalf of Rob.” But what I’m saying is, it is expensive for those companies, and it’s an overhead that they have to incur to be able to handle that. And I can only imagine during tax season for these investment accounts in the banks, they’re getting a deluge as people once a year sign in to pull down those tax receipts and those tax information.
0:05:47.9 RG: So it’s expensive, it’s onerous, it’s impractical, and even those of us in the industry that know better, will head towards convenience, will head towards ease and we do things that we know are not safe and not right. And so what can we do? One of the things… And so we think about, and the industry says, “Well, listen, we know passwords are impractical, we know they’re not safe. We know they’re the weakest link. Let’s layer two-factor on top of them. So let’s think about what can we do in the two-factor space, to make them more secure?” Which is a great idea in theory, but what we’re finding in practice is a lot of these are not secure enough. So we think about one time passcodes delivered via SMS or email, and this says, “You know what? That’s not secure enough anymore. That’s not practical. You need to not rely on that.”
0:06:41.3 RG: So then we look at tokens, and tokens in the past have been compromised. They’re also really expensive and that’s a lot of investment in overhead that you’ve gotta put as a company. So that’s not always most practical. The old knowledge-based questions, and again, I think we all know what the issue is there. Those are very easily obtained. Everybody shares everything. You can guess what those might be.
0:07:07.8 RG: And then we do have the push to accept. So that’s another way, that’s a little more secure, but we have seen where people are manipulated. In fact, I talked to one user that was… Well, it was kind of funny. We have a mobile application that has a feedback link in it, and you can push a link in the application that sends a feedback. It’s supposed to be for product feedback, but one of the… And I received the email. So as a product measure, I received the emails. So one of the emails I got was from an end user that says, “Hey, I wanna know why I’m getting all these annoying ‘accept this request’ things on my phone. Why am I getting these? And I’m just accepting them because I need to get rid of ’em on my screen.” So after I lit my hair on fire and I responded back to him, I said, “You can’t just be accepting those push to accept. That’s someone trying to brute force your account, so don’t do that.” I educated him. So those are not always the best methods, either.
0:08:08.2 RG: So we’ve got the situation where passwords are very difficult to manage, they’re very expensive, The 2FA methods are not really secure enough to protect over the top of that. So where do you go from there? And where we’re starting to think about, and where our customers are starting to talk about is, how can we remove passwords? How can we get them out of the ecosystem? So if I think about the tax situation with Rob, if I could remove that from the transaction, all of us would be saved a lot of time, money and heartache, and we would be able to achieve what we needed to achieve. So some of the benefits… In priority order. So we think about the user experience. I think a lot of times we focus on security, which is right, but it’s also the user experience. We’re gonna have a better user experience. It’s gonna be more streamlined for the users to get into the applications and the resources. Number two, better security. We know that’s a big fat target out there. How do we kind of eliminate or mitigate that vector to increase the security?
0:09:16.1 RG: And I feel sorry, again, for those help desk guys that are getting those deluge calls, so this will reduce that load on the IT and help desk, lower cost of ownership, and it also increases control. So if you think about the employees and the crazy things they’re doing, like putting all the user accounts and passwords in an email and sending it to themselves and archiving it, those are the sticky notes out there in the wilderness we can maintain control, increase our control of what those users are out there by eliminating that kind of free for all that’s sitting in the environment. So those are the benefits.
0:09:52.6 RG: And there’s a lot more probably that we can come up with, but if we think about the top four… And I put a user experience on the top of that ’cause it’s just gonna make a better experience for all of us. Now, I wanna talk a little bit about the approach. So this is where I think it gets… I think there’s some wider discussion to be had here. So inside SecureAuth, we’ve taken a two-pronged approach to this problem, And the first is really around, how do we abstract the password from the user? So what I’m talking about that is, if I don’t have to enter a password when I’m downloading tax information from a website, but a password is kind of abstracted out and it’s in the back and it’s being passed around from asset to asset, is that really a password-less transaction?
0:10:48.9 RG: And so we said, “Look, if we can deliver the password-less experience to the user, and then we can rely on technology later, like a FIDO 2.0 or a WebAuthn protocol that allows us to completely remove the password from the transaction. That’s probably a good kind of dual approach to start with, and so that’s the approach we’ve taken. And we think about that in the evolution. So if you think about where we started or where some people still are, some research still are, is that single factor authentication. So of the three, the what you have, the what you know and what you are, we started with what you know. That’s the single factor authentication. Quickly realized we needed to have additional points of data to understand the user, and so we added either what you have, which is a hardware, potential, either a token or a device, and/or what you are. And we layered those in with the what you know, which is your knowledge and the password.
0:11:53.3 RG: But what, again, as I just alluded to at the top of the webinar, that’s a, still a complex piece of knowledge that is easily phished, easily attacked, very complex for the user. So we need to move away from that and we need to move to password-less. But we cannot lower the level of trust and we cannot lower the level in authentication. And I’m gonna talk about a little bit of that when we get to some of the considerations. People are married to that paradigm, and there’s a piece of that that we need to make sure that we understand and we need to make sure from a security point, we don’t go backwards. And so at SecureAuth, we think about this idea of pre-authentication or risk analysis. And what we’re doing here is we’re thinking about how can we make some intelligent data points? How can we gather some data points, make some intelligent risk analysis prior to challenging the user? And if we can do that, and we can understand the risk of that transaction, gathering of data, we can then remove the knowledge piece out of the authentication paradigm.
0:13:01.1 RG: And we can move now to what you are and what you have. And so that’s much more secure, inherently, and we’re able to remove the what you know. So we’re increasing the level of trust and confidence. We’re increasing the user experience, it’s a much more seamless user experience, and it’s actually a more secure transaction as well. And so that’s the approach number one that we’ve taken with how we think about removing the password. In this paradigm, the password is still, is abstracted from the user, we’re still using it in the background, we’re sharing it with resources, but it’s abstracted from the user. And then we’re going back and we’re adding that pre-authentication risk analysis even into the two-factor transactions. ‘Cause we wanna increase that level of trust and confidence in the authentication, that’s gonna be key. So we’re not gonna be able to remove anything that’s gonna increase the risk of the transaction. So we wanna add the pre-authentication in there to bolster that. So that’s the key to this as we move away from passwords.
0:14:04.9 RG: And so how that looks, let’s just walk through that a little bit. We do have a number of different layers that we employ. All of these are running in the background prior to the user logging on. So think about, again, if I go back to my story about Rob, when I go to do his taxes, one of the things… If we were to remove the password out of that, we would be checking a number of different things about that transaction as Rob logs into Charles Schwab, to think about what’s the risk of that person logging in? Do we think that’s Rob? And so we look at that in the background. We don’t interject until the risk threshold is breached. And at that point, we’re gonna ask for the what you have and what you are, if we have to challenge. And we’re also gonna start looking beyond the log in for a truly continuous… I’ll talk a little bit about that.
0:14:58.1 RG: So as we think about diving in to these… And these are all… You can employ one or many. This is more of a security and layers, so you’re layering up on top of the transaction to determine risk. The first thing we’re gonna check is, have we seen that device associated to the user? So every year, as I go in to Rob’s house and we sign under Rob’s laptop, one of the transaction checks we would be doing is, have we seen this user signing in with this browser and this device to this website before? We’re checking that association. If we’ve seen that association before, that’s a good indicator that that’s probably Rob. And the next thing we’re gonna be checking here is, is this a known bad IP? We have a threat service that we’re gonna wash that IP through, and we’re gonna look for things like, is it coming from a Tor exit node? Is it an anonymous browser? Is this a known bad IP? So we have a number of different providers that we broker threat service, and we’ll get an IP reputation score back, and we’ll understand the threat of that IP.
0:16:07.8 RG: We’re also gonna look in for those B2E situations, whether it’s an employee. Is this a valid directory group with a valid attribute or a set of attributes? So is that user in the directory? Does it look like it’s well-formed? Does it look like that they have the permission they need? So we’re gonna do that check there. And then we’re gonna look for the known location. So again, back to, 40 miles from my house, Rob lives. Have we seen that IP associated with this user before? And so again, we can start to understand risk if that IP is brand new. We’ve never seen it at the geolocation before, if we’ve seen that IP geolocation relationship before. So we’re gonna check that. All this is happening as he’s landing on the login page, if you will.
0:16:58.4 RG: We’re gonna check for improbable travel events. So did he just sign in 20 minutes ago from Los Angeles, and now we’re in Phoenix and he’s logging in? That’s probably a high risk and we probably need to check that. So we’re gonna check geo-velocity. We’re also gonna be looking at a pre-defined geographic location. So we just rolled this out, this is dynamic perimeter. So you can define a perimeter and the users within that perimeter. It’s a lower risk. If they’re outside that perimeter, it’s a higher risk. So we’re gonna be checking that.
0:17:30.2 RG: And then we’ll be looking at things like the device. So as we think about, should we deliver an SMS or an OTP or any type of push or any type of second factor to the device, we’re gonna interrogate the device first. We’re gonna check is it in an approved type of device, has it been ported? Is it associated to your approved carrier? All of these will be configured by you as an organization, we’ll check that. We don’t want to deliver SMS or OTP or push to clone devices, swap devices. So we’ll be looking at that.
0:18:03.7 RG: And then we’ll be doing some analysis on keystroke, key flight mouse movements. So again, as Rob is signing in, does it look like that’s the way he always enters his password? Password might be correct, but maybe he doesn’t enter it exactly the same way. That’s an indicator that, potentially, that’s not Rob entering that. We all have unique keystrokes, key flights, especially on those repetitive entries. We do them the same way and we measure that and we can look for deviations from that. And this is a new feature that’s coming out in the next release, but we’re looking at now, the IP itself, is it behaving, and is it look like it’s involved in a brute force attack? So IPs that are starting to exhibit certain behaviors. So one IP is trying multiple username and passwords against multiple sites, or multiple IPs are trying a single username password. So if they’re exhibiting that behavior, we can do that quick analysis and understand the risk of that.
0:19:01.3 RG: And then finally, we’re gonna look at the user and NT behavior analytics, so we’re looking at patterns. So Rob’s pattern is he signs in once a year. And we try five times, and then we lock ourselves out, that’s our pattern. And we’ve built that pattern over time. If Rob, all of a sudden, was signing in every month and he had successful sign ins, that’s outside the pattern. So we use our advanced adapted, powered by machine learning, we start to look at that, calculate a risk score there, understand the risk, then all of that is factored in to the decision we’re gonna make. So as we run through all of those, let’s see how that looks in an actual pattern. So if we take the idea of 20 bad guys at Rob. So we’ve got all these bad guys that are trying to get into the Charles Schwab account, because Rob has his password everywhere. He’s got it in his email he sent to me. He’s got it out on the web that’s been breached and it’s out for sale. So they’re gonna start to do this.
0:19:58.0 RG: And the way that we do this… Rob’s sitting, he’s on the log-in site. He’s about ready to log in. So are all these bad guys. So we run the threat service first, and a majority of those are flagged as high risk. And so we’re gonna knock them out right away. So those IPs, the reputations are high enough, the risk core is triggered, and we’re gonna ask them for a multi-factor authentication method, which I’m not gonna be able to provide. And then they’re gonna be out.
0:20:26.2 RG: So the next four, the first one, he’s able to get through that. ‘Cause that’s not a known bad IP, but he gets blocked on the geolocation. So we have not seen him within Rob’s… The Chandler address that Rob lives at. So he’s, again, gonna get blocked here because he won’t be able to provide the multi-factor because of the risk. The next guy gets through that but device recognition. So we haven’t seen the device, potentially, so he’s gonna get blocked there. The next guy may get through all of those, but he’s gonna get hung up on the phone number fraud. As we try and deliver that second factor, that device is not approved based on the settings. And then finally, the last one’s gonna get hung up on the user behavior analytics, for example. Rob, if he remembers his password, or if I pull up my email, I tell him his password, he’s gonna be able to sign in to the application. And we’re only gonna challenge Rob if the risk is found. And so that’s the theory there, and then that way, from a pre-authentication check, we can pull back those password requirements and be able to push in straightforward there into that.
0:21:35.1 RG: So let’s talk about the consideration. So wanna spend a little time on this. I think password-less is a great topic. I think there’s a lot of things that organizations want to achieve. There’s a lot of great benefits. I know that the organizations I’ve talked with, a couple of them have not kind of gotten to the second level of discussion about, “What does that really mean to us? What would password-less mean in the organization?” This is really food for thought for you as you think about a password-less strategy in your organization. What are some things to consider? And so crucial questions that you need to answer from an organizational perspective. And the first and foremost is, do you have adaptive authentication deployed, whether it’s our solution or other solutions, that ability to have that increase in security, increase in trust? As you think about removing the password, that’s gonna be key.
0:22:33.6 RG: And then underneath that question is, which adaptive authentication layers? Are you checking the geo-velocity, geolocation, dynamic perimeter? Do you have a threat service that runs? Are you looking at device fingerprinting? You’d wanna think about mapping those out, so to increase the trust in that transaction as we remove the password. And then the second very crucial question for organizations is, which multi-factor methods are you gonna offer users? So you’ll have your choice, as you remove password and go password-less, think about the difference between having OTP via SMS versus maybe a Google key, Titan key or a Yubikey, and the level of assurance you get from those multi-factor methods. You might wanna move towards the higher end of those multi-factor methods and then what does that mean to the organization? You have to think about, is everybody gonna have the capability to have those, use those. And so that’s another question to answer.
0:23:37.9 RG: The third one is, and this ties to the what multi-factors you’re gonna offer, do all your users have smartphones? So thinking about removing the password, if you’re challenging users, how are you gonna deliver that multi-factor? Especially as you move to the higher end of security for those multi-factors, we think about push to accept, symbol-to-accept, link to accept. Some of those are gonna need to have an infrastructure of smartphones. What are you gonna do if all users don’t have them? How are you gonna address that, which multi-factors you’re gonna be able to employ for them? That mapping exercise, you wanna go through as you think about password-less in your strategy. This number four, this next one, I can tell you two customers I talked to that did not think about this. And this actually hurt them in the roll out as they started to roll this out, and this is all about communication. And as I mentioned earlier in the webinar, there’s an inherent kind of… Users are inherently used to the idea of password-less, and they’re used to entering passwords. And if that is not available for them, there is a lot of panic in the beginning.
0:24:47.5 RG: And so, I think a strong communication plan, coupled with that last point that you see here, your end user training, starts to mitigate that. People believe… And I know because I’ve talked to customers and they’ve talk to their end users, people believe that passwords removed means security is dropped. And so what the communication plan should start to outline for the end users and internal stakeholders is in fact, security is increased. So we’re having the adaptive authentication, we’re having those layers of security that are running in the background, and then only when we are breaching those thresholds are we gonna challenge the users. Passwords are inherently weak, and so actually, we’ve swapped out a weaker method for a stronger method by having the adaptive authentication in the background. But that needs to clearly be communicated across the organization and the end user training for the end user to get used to a paradigm of not having to enter a password.
0:25:45.3 RG: I’ve seen help desk tickets come in where there is not… The helpdesk ticket was, “Help me. I’ve somehow forgotten my password, lost and found, so I can’t enter my password. How do I get on to the access, or how do I get access to that resource?” Even though they actually were passed through, they were confused and concerned, ’cause there was no password. So end user training is critical for them to understand what does that workflow look like when you remove the password? What is that user experience? What should you expect as a user? And how is it more secure that you’re not entering your password now? Why is that more secure? Critical, crucial questions to answer and address.
0:26:28.3 RG: The other thing that sometimes organizations forget or don’t address is how to prepare the help desk. So the help desk is going to start getting calls. And they’re gonna start getting calls that they’re not used to. So, “Where is the password? What happened to the password? I forgot my… ” You’ll hear it articulated from end users differently in different ways. You need to prepare the help desk to answer those questions. And help desk should be well-versed in… For this workflow, if you’re trying to get to this resource, this is a password-less workflow. You wouldn’t expect to see the password in there. You may get challenged for your MFA, but you won’t expect to see password. So that needs to be prepared in advance with the help desk, so they know how to handle those calls.
0:27:15.5 RG: The other point that you wanna think about is a pilot. And this is crucial for a number of different reasons. Number one, to make sure that you’ve thought about and have architected that workflow and the roll-out strategy correctly. So you take a small group of friendlies in the organization, with maybe a low risk asset and you put that password-less workflow in place there with a pilot group. So that’s number one. Number two is, you’re gonna get evangelists. Now you’re gonna get stakeholders that were involved in the pilot, end users that understood, after they’ve used it for a while, what is the value of it? How does it work? What does it do for the user experience? And they can go out in the organization and start to talk about that. So a small pilot that’s well thought out that has key success metrics that you’ve got evangelists or potential evangelists involved will help get you ready for that wider roll out.
0:28:15.0 RG: And you’ll also learn things in the pilot that will help you, and there are things that you wouldn’t have thought of. So that internal messaging is so key for adoption. Next thing is that phased roll-out. So your goal now is adoption. So as you define the workflows and as you make sure that you’ve got the right assets, the right MFA methods, you’ve done your communication, you’ve got your help desk planned, prepped, now you need to talk about your roll-out strategy. And one of the things in the roll-out strategy that’s key is you’ve got a clearly defined phasing of that. You know who your end users are in there, and you’ve let your evangelists talk to those pilot groups and this phased roll-out groups, and let them spread that knowledge of what password-less means. What should they expect? Is everybody registered? Are we ready to go? And you do that in phases so that the help desk doesn’t get overwhelmed. And you can start to tweak and adjust your communication and your potential configuration as you’re rolling that out.
0:29:23.0 RG: And then the last we bring up here is success metrics. This is the thing that they miss, I think a lot of organizations miss is what does success like from a password-less roll out? What does that mean to the organization? Does it mean every workflow, every resource, everybody? Does it mean tightly constricted and defined workflows for only certain resources and people? This needs to be defined, what is success? And then it needs to be propagated throughout the organization. Does everybody understand what is our password-less strategy? What does success mean? How do we know when we’re gonna be successful on our password-less journey?
0:30:06.1 RG: And it is a journey. I think that’s the other thing that I would say, and I mentioned it earlier, our first iteration of this right now is the abstraction of the password from the user. The second release that’s coming in July, we’ll roll out FIDO 2.0 capabilities, which will be another level down for your password-less. So one of the things, if you’re an organization, you think about your journey to password-less, the phasing is not just how you roll it out in the organization, the phasing is also the password-less experience versus password-less from a technical perspective, down at the transaction level using the protocol like FIDO 2.0, and what does that mean to your organization? So I think just understanding and thinking about these questions, answering these questions inside your organization is really gonna help help you succeed in doing that.
0:31:00.8 RG: So to wrap-up, we’ve talked about a lot of things. I think there’s four key takeaways. The first one is about passwords, expensive, easily compromised, but I would also argue in there, here to stay for a while, at least. So password-less is not, in my mind, a big bang, everything in the organization moves at once. I think that password-less is a nuanced discussion about where can you get the most benefit to remove some of that friction and increase security and remove that easily compromised and expensive piece of that, which is password, and so that’s one key takeaway here.
0:31:42.5 RG: The other one is, we know, and we’ve seen, and we continue to see moving away from passwords into biometrics and into some of these other things increases user satisfaction, increases security, increases control, lowers your cost of ownerships. All those are good things. If you can have a password strategy that allows you to get there, there are good benefits that await the organization. Solving the password problem requires something you have and something you are, in combination with adaptive authentication. So phase one of your password-less journey, to abstract the password from the user, you’re gonna need to have something he is and something he has, in combination with adaptive authentication, to remove that, increase in security and increase in the user experience.
0:32:33.7 RG: And then the successful password-less deployment is gonna include a strong communication and education plan. I think that’s key. If users don’t understand what’s coming and they don’t understand what to expect, even if it works flawlessly, it’s not going to succeed in the organization. You need to define what success looks like for your organization, what is the scope of your password-less journey, what do you define as success and let everybody understand that so they can see it when it happens. And a pilot with a phased roll-out strategy is a necessity as well. That big bang, especially on something like this won’t work. It’s too radical typically, for most organizations. So get a small pilot, build your believers, let those believers go back into the organization, spout those beliefs and then start a phased roll-out from there.
0:33:29.9 RG: So, I’m hoping that this helped you start to think about what password-less could mean to your organization. I’m hoping that some of those key thoughts and key questions to be answered will spark some discussion within your organization as you think about what password-less could mean to you and your organization. I offer you my email address and my phone number, if you’ve got questions, comments or concerns or would like to talk to us about how we can help you on your password-less journey. We’re always willing to help and we’ve got some real market, real world experience of what works, what doesn’t work. A lot of times, it’s really not always about the technology. It’s more about the approach, and how you define it, and then how you layer in the technology in the way that it makes sense for your organization. So I’m hoping that really was valuable for you today, and I will wish you all a happy World Password Day, and a great rest of your day. Thank you very much.