CISO Forum Summary: The Viability of Passwordless Authentication

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics.  Recently, we discussed the viability of passwordless authentication.

The desire is high to achieve Passwordless Authentication, but there appear to be very few Passwordless solutions that achieve the level of security required for the broad needs of a large enterprise.

Our discussion revolved around password best practices and what technologies are available to reduce the burden of managing and securing passwords.

Initial Questions to Consider:

  1. Would Passwordless Authentication (PA) increase security across the enterprise?
  2. How much will implementing PA cost the firm?
  3. What price will users be willing to pay for the convenience of PA (giving access to biometrics, using an app, or company-issued phones, USB security devices, etc.)?
  4. What legacy applications will be a barrier to implementing PA?
  5. Is the goal is to be Passwordless across the end user workstations & devices or across the entire enterprise?

What is Password Integrity:

  1. NIST standard recommendation is now to make passwords at least 12 characters, but they can be less complex making it easier to remember.
  2. Using passphrases such as “Thi$_i$_a_L0ng_Pa$$word” could significantly increase security.
  3. Many people are using “Lost my password” to log in each time. One firm, with many hourly workers, had to ramp up staff to assist with all the password change requests.  For them, this is an administrative nightmare and the desire to use a biometric (i.e. fingerprint) instead of a password is very high.
  4. One leader said, “We all are experiencing password & MFA overload.”
  5. One firm provides “LastPass” to all employees and their families, so they will utilize good password hygiene in personal accounts. This leads to better password hygiene at work.
  6. This same firm also provide Password Vaulting though Thycotic (now Delinea)
  7. They also enacted that if an employee fails a phishing test, they must change their passwords. This “Punishment” fits the ‘crime’ and is a natural consequence of their actions.
  8. One firm eliminated password security questions for their MFA into HR Systems. Instead, employees must use an app or VPN to get access to HR systems.
  9. One firm has gone to 16-character passwords, but they only expire once a year. Admin PW’s still expire every 90 days and Contractors also expire every 90 days.

Biometrics:

  1. Microsoft has been able to get 85% of their campus to Zero Trust and much of that is Passwordless using biometrics.
  2. Biometrics could solve so much of the password reset issues.
  3. Some firms like Wells Fargo are using Voice printing to authenticate. But it was recommended that you don’t manage the crown jewel with that.
  4. Voice was said to be one of the weaker biometrics. Face and fingerprints are better.

Multi-Factor Authentication (MFA):

  1. While MFA is more secure, it can be breached. If an email breach occurs, a SIM card is swapped, or a cell phone is left behind, MFA codes can be stolen, passwords can be reset, and access to systems can be compromised.
  2. Smishing (SMiSing) is making MFA less secure
  3. However, MFA is still recommended for all public facing apps.

Challenges to Implementing MFA

  1. A lot of legacy systems are still in place which inhibit a single sign-on MFA from being implemented.
  2. Each different division, acquisition or subsidiary has different ways of doing things making a universal MFA impractical.
  3. We should be cautious of using too much Push MFA because people are getting MFA fatigue.

Zero-Trust

  1. To achieve true zero trust, MFA needs to be redefined. It is more than just sending a code to your phone. Zero Trust MFA evaluates 3 factors:
    1. What you know – i.e. password
    2. What you have – i.e. personal device, authenticator, or a UBT
    3. What you are. – i.e. biometrics
  2. However, “what you are” is morphing – what you do is what you are. Some firms are analyzing your patterns to validate you. (i.e. keystrokes, habits, voice print, etc.) not just body parts.

Could a Personal Mobile Device be used for Passwordless Authentication?

  1. An Apple Watch can unlock your MAC workstation.
  2. Microsoft Hello for facial recognition has been mildly successful, but there are issues with having a good enough camera, or masks.
  3. It would require Microsoft and Apple to work together to build a holistic solution. That’s a real challenge.
  4. It seems like there is an opportunity to create an App which leverages a phone capability and tie it to a single sign-on solution to unlock enterprise applications.

Unhappy Path:

  1. Much of the focus is on the users “happy path” – when they have all they need to log in (device, PW, biometrics, etc.)
  2. The real thing that needs to be evaluated is the Unhappy Path (when the user doesn’t have one of those). Then what happens and how does one validate to get in?

Security on OT Systems:

  1. More focus needs to be put on the securing of OT systems where you may have 10+ people all interacting with the same terminals. Facial recognition may not be an option in a chemical plant if they have a serious incident.
  2. Maybe combining plant badging in/out, smart camera systems, proximity badges and storing this data in a block chain to evaluate multiple attributes to better validate if the right people have access.
  3. OT systems ‘should’ be air gapped but often they are not.
  4. One question was asked: “Is the biggest challenge using Passwordless Authentication on OT systems or is it at the app level where the masses are accessing thousands of applications?

YubiKey Authentication:

  1. YubiKey’s are typically Impractical at scale. There are no doubts about the security of the product.  The problem is the management of these in a remote work environment.  SecureID was the predecessor of the technology.  It is also difficult to manage in smaller organizations.
  2. How about Bring Your Own YubiKey? It was said to be not practical for larger corporation.  These should be Corporate assigned only.
  3. Do YubiKey’s expire? Depends on how they are set up.
  4. YubiKey’s would be good as a 3rd or 4th Not as a single sign-on or even a 2nd factor.

Challenges of YubiKey’s:

  1. YubiKey’s can be stolen.
  2. YubiKey trojans – Someone could switch out one embedded with ransomware on someone’s desk.
  3. Laptops have limited # of USB ports. Also, newer laptops may only have USB-C instead of USB-A.
  4. Logistical problems of getting YubiKey’s into employee’s hands if they are remote.
  5. When someone leaves the company, it become a challenge to shut all the access down. It’s just one more thing to disable especially if the process is not automated.

Other Emerging Technologies:

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your password authentication activities.

If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST-based security assessments

In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University. 

Invite Tim to connect:  www.linkedin.com/in/timhoward