Identity-related data breaches make up the vast majority of cyber-attacks and the number one way that cybercriminals target organizations is by stealing passwords. Passwords are notoriously unsecure: they’re not only easily guessed or cracked, but also growing increasingly difficult to manage, as users struggle to keep on top of the ever-expanding mountain of unique and complex passwords they’re expected to remember.
It’s clear that the way we manage our identities in the digital space is not working, and a radically new way of thinking about our online identities is needed. To find out more about what this future could look like, we spoke to Wolfgang Goerlich, an Advisory Chief Information Security Officer (CISO) at Cisco Secure.
Founded in 2010 in Ann Arbor, Michigan and acquired by Cisco in 2018, Duo Security is a leading provider in the authentication space. Goerlich started his cybersecurity career in the healthcare industry, before moving into consultancy and the identity and access management market. In 2019, he joined Cisco, where he works as an Advisory CISO with the Duo team.
Identity Has Become The Security Perimeter
We’re currently undergoing a period of intense digital transformation, Goerlich says. In the past, security teams knew that all employees were working in one office, using corporate-issued computers, accessing applications from the organization’s data center.
But today, the lines between our corporate and personal lives have become blurred. The rise of bring-your-own-device and Software-as-a-Service means there are now far more applications being accessed outside of the corporate network than inside it; so it is nearly impossible for security teams to manage all of the devices connecting to their corporate apps and resources with traditional security tools.
At the same time, the pandemic has caused arguably “the largest migration in recent human history,” Goerlich says, “and the first migration from physical to the digital.” This means that security teams can no longer look users in the eye or keep watch over network activity for signs of malicious behaviors.
The effect of this, Goerlich argues, is that the very foundations of security have been shaken. “All of our fundamental assumptions around security have shifted,” he says, “except for one: user-centric security.” For this reason, authentication is the single consistent piece of the security puzzle- whether that be in SaaS applications, on-premises apps, physical infrastructure, or hosted data centers.
“All of our fundamental assumptions around security have shifted, except for one: user-centric security.”
These challenges come at a precarious moment in the history of cybersecurity. Criminals are developing new and sophisticated ways to gain access to user-accounts; and the underlying problems around how security controls such as passwords have been built have given them the advantage.
“These are not new problems,” Goerlich says. “The problems with password authentication go back six decades. The very first password system ever had a data breach within months. Nobody liked passwords then. Nobody likes passwords now. They’re hard to secure and hard to protect. For six decades, all we’ve been able to do is ask the user to do more: Remember a longer password. Remember different passwords. Remember this more convoluted way of creating a password.”
Security teams continue to ask more of their users, while the scale of the identity challenge has become mind-boggling. “The typical person has over 200 passwords they need to remember. That’s an insane amount,” he says.
Solving The Identity Challenge
The best way we’ve been able to solve the password challenge over the past sixty years has been to add stronger factors of authentication on top of the password, essentially putting a suit of armor around a vulnerability that is always lurking beneath the surface.
The realization, Goerlich says, is that with new technologies, we no longer need the password at all. “Why do we still have the password? Why don’t we just rely on those stronger methods? The trend line in identity is towards passwordless, which relies on these other factors, that still provide strong authentication, often stronger authentication. And for the first time in a very, very long time, actually simplifying the user experience, and getting out of people’s way.”
It may seem paradoxical that removing the password could improve account security, but the strength of multi-factor authentication technologies makes this a reality, Goerlich says. Passwordless authentication removes the risk of reused and weak passwords, as well as the risk of passwords being stolen in phishing attacks or data breaches.
For the user, going passwordless will simplify the entire authentication process. “When you log into your applications with Duo, you authenticate with a strong factor. This could be a gesture or a biometric check on your phone, or it could be through the use of a security key. In the backend, we’re still applying multi-factor authentication, and in some cases, we’re creating unique authentications for each app, so if one of your apps does get breached, that authentication cannot be used anywhere else,” Goerlich says.
Zero Trust And The Horseless Carriage
Many analysts from across the identity management space have argued that moving to passwordless authentication is a key pillar of “Zero Trust”, the security principle that organizations should not inherently trust anything—inside or outside your organization—to have access to your network without continuous authentication. US President Joe Biden recently signed an executive order recommending all federal agencies move to a zero-trust architecture, with many private enterprises looking to follow suit.
“I would argue that passwordless is the user benefit in the Zero Trust business case,” Goerlich says. Zero Trust is the security approach that allows organizations to deploy passwordless in a way that they can have a high degree of confidence. But this change should not be thought of as simply removing the password.
“I come from Detroit where, one hundred years ago, high tech was the horseless carriage. What is a car? It’s a carriage without a horse! Brilliant! But that really ignored all of the safety, speed, and cultural changes that came with the automobile.”
“When we think of ‘passwordless authentication’, it has to be more than just removing the password.”
“When we think of ‘passwordless authentication’, it has to be more than just removing the password—just like the automobile is about more than removing the horse. It has to provide more security benefit. Those security benefits are sometimes talked about today as Zero Trust, which is essentially a series of well-designed access controls which reduce the risk of biometrics getting stolen, or tokens getting lost, or any other ways that we know criminals are going to try to circumvent the system. When we remove the password, we must increase the trust.”
Implementing Passwordless In Your Organization
On the path to passwordless authentication, there are some important steps which organizations should take, Goerlich says.
“Step one is implementing well-designed, well thought-through multi-factor. Put in place multi-factor so that when you have the opportunity to move to passwordless, you already have users enrolled, you already have users familiar with it.”
“The second thing is to consolidate your applications. If you’ve got 1,400 applications being delivered in many different ways, it’s very hard for your security team to get their head around that. Consolidate that with single sign-on, so you have one point to control.”
“The third step would be to look for ways to increase trust across all authentications. Those ways can be looking at the device a person is using, looking at the context and conditions at the point of authentication, and making strong, informed policy decisions at the point of authentication.”
“If you do multi-factor authentication, if you do single sign-on, if you do trusted access, you are in a good position to reduce a lot of the risk, as well as to start investigating what passwordless looks like and what it means to your organization.”
You can find out more about Duo Security here and you can read our review of the Duo Access solution here.