Episode 10
Passwordless Authentication: Myths and Realities
Driven by a mission and passion to fight online crime, Ori Eisen, Founder and CEO of Trusona, explains the fundamentals of passwordless authentication and why it is a superior and simpler way of securing access. He also dispels several myths and addresses potential adoption hurdles, ranging from incompatibility with legacy applications to transition costs, regulatory compliance, privacy concerns, and more. Ori offers some valuable tips and recommendations to protect individuals from becoming victims of hacking. Finally, he shares some hilarious jokes at the end.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-10-passwordless-authentication-myths-and-realities/
----------------------------------------------------
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach, a recently published book by SAGE publishing. He has
Cybersecurity Readiness:been studying cybersecurity for over a decade, authored and
Cybersecurity Readiness:edited scholarly papers, delivered talks, conducted
Cybersecurity Readiness:webinars and workshops, consulted with companies and
Cybersecurity Readiness:served on a cybersecurity SWAT team with chief information
Cybersecurity Readiness:security officers. Dr. Chatterjee is an Associate
Cybersecurity Readiness:Professor of Management Information Systems at the Terry
Cybersecurity Readiness:College of Business, the University of Georgia and
Cybersecurity Readiness:Visiting Professor at Duke University's Pratt School of
Cybersecurity Readiness:Engineering.
Dr. Dave Chatterjee:Hello, everyone. I'm delighted to
Dr. Dave Chatterjee:welcome you to another episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast. Today, we will be talking about the myths and
Dr. Dave Chatterjee:realities of passwordless authentication. I'm really
Dr. Dave Chatterjee:excited to welcome our guest on today's show, Mr. Ori Eisen,
Dr. Dave Chatterjee:truly, a highly distinguished player, member of the
Dr. Dave Chatterjee:information technology community. He has spent the last
Dr. Dave Chatterjee:two decades fighting online crime, and holds over two dozen
Dr. Dave Chatterjee:cybersecurity patterns. He is the founder and CEO of Trusona,
Dr. Dave Chatterjee:that offers the world's first insured authentication solution.
Dr. Dave Chatterjee:Prior to founding Trusona, Ori was the founder at 41st
Dr. Dave Chatterjee:parameter, the leading online fraud prevention and and
Dr. Dave Chatterjee:detection solution for financial institutions that was acquired
Dr. Dave Chatterjee:by Experian in 2013. And, prior to that, Mr. Eisen served as the
Dr. Dave Chatterjee:Worldwide Fraud Director for American Express. And prior to
Dr. Dave Chatterjee:that, Ori was the Director of Fraud Prevention for VeriSign
Dr. Dave Chatterjee:Network Solutions. By developing new and innovative technologies,
Dr. Dave Chatterjee:he skillfully reduced fraud losses by over 85% in just three
Dr. Dave Chatterjee:months. So, it's truly a pleasure to have Ori on the show
Dr. Dave Chatterjee:today. Welcome Ori!
Ori Eisen:Thank you for having me, Dave, and hello to all the
Ori Eisen:listeners.
Dr. Dave Chatterjee:So Ori, when I was reading about your
Dr. Dave Chatterjee:contributions about a passwordless world that we might
Dr. Dave Chatterjee:be entering in the near future, I'm excited; and I have a whole
Dr. Dave Chatterjee:bunch of questions. And I'm sure our listeners have similar
Dr. Dave Chatterjee:questions as well. So let's get started. And if you could give
Dr. Dave Chatterjee:us a little bit of a primer on what is passwordless
Dr. Dave Chatterjee:authentication.
Ori Eisen:In the 60s, when computing really took off, many
Ori Eisen:people wanted to use a computer. And they got into the point of
Ori Eisen:doing time sharing. So if you had 10 people trying to use the
Ori Eisen:same mainframe, you got the hours one to two, and your
Ori Eisen:friend got two to three. And in order to reserve your time slot
Ori Eisen:they used a password; was easy and quick, everybody know how to
Ori Eisen:do it. When the 90s come about, we are still using passwords.
Ori Eisen:And again, maybe system admins and other people used it, but no
Ori Eisen:one ever thought it would be embedded in every single factor
Ori Eisen:of our life. And factor is used with a pun. I think today when
Ori Eisen:you look at what happened to Facebook just a few hours ago
Ori Eisen:and 1.5 billion users username and password leaked online. It
Ori Eisen:really shows you how penetrable the world of cyber security is
Ori Eisen:if we're only leaving passwords to be the gateway between you
Ori Eisen:and your money, you and your identity you and your medical
Ori Eisen:records and so forth. So in 2015, I joined both Ted Schlein
Ori Eisen:from Kleiner Perkins and Frank Abagnale. on a journey to say,
Ori Eisen:Hey, can we start a journey which I know everybody said
Ori Eisen:can't be done. And it's difficult and it's, you know,
Ori Eisen:hard to change the world. But we started this journey to say, why
Ori Eisen:not what else needs to happen, Dave, for us to say, you know
Ori Eisen:what, maybe passwords are not the most secure thing. And our
Ori Eisen:parents are not security experts we should trust with creating
Ori Eisen:long and complicated ends, passwords. So the whole idea of
Ori Eisen:getting passwordless is to remove this factor, which as you
Ori Eisen:probably know, contributes to 81% of all the data we see lost
Ori Eisen:out there and just do away with it. Because the technology to do
Ori Eisen:it is already in our pockets. It's just that we have not made
Ori Eisen:an effort as a, you know, community to make that step.
Dr. Dave Chatterjee:I couldn't agree with you more, it is such
Dr. Dave Chatterjee:a great need, we need to move in that direction. Absolutely. In
Dr. Dave Chatterjee:fact, I'm sure our listeners would like to know that
Dr. Dave Chatterjee:according to the Verizon Data Breach Report, in 2019 alone,
Dr. Dave Chatterjee:81% of hacking related breaches involved the use of lost or
Dr. Dave Chatterjee:stolen credentials. And yet, we are still egulfed in the world
Dr. Dave Chatterjee:of passwords. Gartner predicts that by 2022, 60% of large and
Dr. Dave Chatterjee:global enterprises, and 90% of midsize enterprises will
Dr. Dave Chatterjee:implement passwordless methods in more than 50% of use cases,
Dr. Dave Chatterjee:that's a very good sign. So Ori, what are some, you know, it's
Dr. Dave Chatterjee:too good to be true, right? Like even now, I hate to admit this,
Dr. Dave Chatterjee:but I have to keep track of 50 or 60 different passwords.
Dr. Dave Chatterjee:They're not totally different, but they are different. And I am
Dr. Dave Chatterjee:kind of ashamed that I am I am still doing that. And I haven't
Dr. Dave Chatterjee:come up with something more sophisticated. But I wonder you
Dr. Dave Chatterjee:know, when there's a saying that when something is too good to be
Dr. Dave Chatterjee:true, it probably is. So can you help dispel some of the myths
Dr. Dave Chatterjee:around passwordless authentication?
Ori Eisen:Dave, remembering 40 or 50 is good news. You're lucky
Ori Eisen:if you're a system admin at a large company you have 200
Ori Eisen:passwords you need to know. And many have to write them down,
Ori Eisen:put them in an Excel sheet, or even get into a password vault.
Ori Eisen:So the first thing I'll dispel is, why do I need to go
Ori Eisen:passwordless if I'm using a password vault? Well, for two
Ori Eisen:reasons. Putting your passwords into a password vault does not
Ori Eisen:eliminate them. And if you were to inspect with Wireshark or
Ori Eisen:Ethereal (network protocol analyzer), the connectivity
Ori Eisen:between you and the server, you'll see that the password
Ori Eisen:vault only saves you from remembering it, but it's still
Ori Eisen:on the wire. So if you have malware or anything like a
Ori Eisen:Man-In-The-Middle, you are still revealing your credentials. That
Ori Eisen:is the main reason that I'm a big proponent of this. Yes,
Ori Eisen:there's a UX (User Experience) aspect that it's easy to use.
Ori Eisen:Yes, it will be saving money because less people will call
Ori Eisen:your Help Desk to say I forgot my password, right. But from a
Ori Eisen:security perspective, it's so easy just to get malware on a
Ori Eisen:computer, wait for the good guy to get in. And that's it, you
Ori Eisen:got their credentials, that is really what we need to change.
Ori Eisen:So the first thing to dispel is that, you know, password vaults
Ori Eisen:do not change that, right, they kind of put the passwords under
Ori Eisen:the carpet, so to speak, so you don't see them. But let me tell
Ori Eisen:you, they're still there, and they're still transmitted on the
Ori Eisen:wire. The second thing I would dispel is, many companies in the
Ori Eisen:space who were not ready, they were kind of caught flat footed
Ori Eisen:by not having passwordless; devised very clever means and
Ori Eisen:tricks to convince their customers that they have gone
Ori Eisen:passwordless, even though they didn't; let me give you a
Ori Eisen:classic example. Say that you log in from the same IP address
Ori Eisen:every day, I can then tell my authentication system that if
Ori Eisen:Dave comes in from the same IP to just let you sail through
Ori Eisen:without needing to type username and password, so they call that
Ori Eisen:quote unquote, passwordless. That is really called risk based
Ori Eisen:authentication for those of you who are listening, and it still
Ori Eisen:doesn't solve the core issue that if somebody gets a hold of
Ori Eisen:your username and password, even if they come from a different IP
Ori Eisen:address, yes, they will be challenged with it. And with
Ori Eisen:those static credentials they can get in. So I just wanted you
Ori Eisen:to see that just doing the little bit, the small move, is
Ori Eisen:not really going to save our society from this scrooge of
Ori Eisen:static passwords.
Dr. Dave Chatterjee:Thank you for that. Thank you for that.
Dr. Dave Chatterjee:That's very enlightening. So let's say if an organization
Dr. Dave Chatterjee:wants to move in the direction of passwordless authentication,
Dr. Dave Chatterjee:there are many methods of doing so. Right. And so how would you
Dr. Dave Chatterjee:know what would be some factors that could influence an
Dr. Dave Chatterjee:organizational decision of adopting a particular method?
Dr. Dave Chatterjee:And if I'm wrong, please correct me. You are the expert here.
Ori Eisen:Yeah, let me tell you after doing this now for five
Ori Eisen:years, what I would recommend everybody who's listening,
Ori Eisen:whether they have their own website or blog on a personal
Ori Eisen:level, or they're working for a company. Early on in our
Ori Eisen:journey, we offered it and still do a free plugin for WordPress.
Ori Eisen:WordPress is one of the most prolific website editors, go
Ori Eisen:implement Trusona for your WordPress site, even if it's
Ori Eisen:your personal site and play with it, experience it, try to beat
Ori Eisen:it, try to hack it, try to see, what would it take to break it.
Ori Eisen:And after you have that epiphany, ask yourself as a
Ori Eisen:consumer and ask yourself as a security practitioner, well, why
Ori Eisen:aren't we doing this everywhere? The reason we have given this
Ori Eisen:for free, other than to learn user behavior and perfect
Ori Eisen:software, is to give people something to start with.
Ori Eisen:Otherwise, I agree with you, Dave, it feels like a bridge too
Ori Eisen:far. Like, it's too good to be true. No, the year is now the
Ori Eisen:time is here. Go try something because it's free. So you can't
Ori Eisen:say I can't get the money to do it. It's not about money
Ori Eisen:anymore. The delta between going passwordless or not, on many of
Ori Eisen:the systems is just your sheer will. That's it. Now, I would
Ori Eisen:assure you that in many cases, when we offer it to consumers,
Ori Eisen:it's free. So that's not a reason for an organization not
Ori Eisen:to take it. But yes, you need to use the Trusona app, so but
Ori Eisen:people who don't want to see our brand, and want to buy our stuff
Ori Eisen:as a white label, sure, you need to pay at some point. But the
Ori Eisen:point is, it's so easy to get started now with integrations to
Ori Eisen:most systems, most, you know, SAS (Software-As-A-Service)
Ori Eisen:ervices that you cannot fin any excuse of it's too diffi
Ori Eisen:ult or too expensive or too hard We have taken that off the t
Ori Eisen:ble. Now it's all about the shee will of people to stop using
Ori Eisen:passwords, and curb the funding f evil. And we can talk about th
Ori Eisen:t as we go through
Dr. Dave Chatterjee:Yes, in fact, I want to also inform the
Dr. Dave Chatterjee:listeners that you are one of those people who's who's very
Dr. Dave Chatterjee:big on fighting online crime. He's dedicated his life to
Dr. Dave Chatterjee:fighting online crime. He volunteers with Thorn, the
Dr. Dave Chatterjee:digital defenders of children. He founded Ball to All, a
Dr. Dave Chatterjee:charity that donates free soccer balls around the world to
Dr. Dave Chatterjee:children who have never had one. He's a founding member of
Dr. Dave Chatterjee:Security Canyon, Arizona's cybersecurity coalition. So Ori
Dr. Dave Chatterjee:is truly a wonderful human being. And it's such a pleasure
Dr. Dave Chatterjee:to have him on the show today. So, Ori, following up on what
Dr. Dave Chatterjee:you were talking about, and pardon me if I'm repeating
Dr. Dave Chatterjee:myself here, but a little bit of redundancy never hurts. So when
Dr. Dave Chatterjee:we say passwordless authentication. So how are users
Dr. Dave Chatterjee:being authenticated? And what about that information that is
Dr. Dave Chatterjee:being used to authenticate individuals? How is that secure?
Dr. Dave Chatterjee:And if that falls in the hands of the wrong, folks, isn't that
Dr. Dave Chatterjee:concerning?
Ori Eisen:Great questions. So let's take two steps back. And
Ori Eisen:again, help demystify what is passwordless authentication. The
Ori Eisen:first thing to know is that it does not use static passwords
Ori Eisen:that users pick. So that's the first thing to know. So
Ori Eisen:obviously, you can ask, Well, what does it use? It used the
Ori Eisen:very same architecture and technology we already have used
Ori Eisen:for e commerce in the form of HTTPS (Hyper Text Transfer
Ori Eisen:Protocol Secure) certificates, and public and private keys
Ori Eisen:(encryption methods). So if you buy into the notion that it's
Ori Eisen:better to send my credit card online, when it is encrypted,
Ori Eisen:and I have the private key, and the other side have their own
Ori Eisen:private key, and we have a common public key, and you agree
Ori Eisen:mathematically that this is safe. What if I told you that
Ori Eisen:the credentials we use are just like a credit card that is then
Ori Eisen:encrypted on one end, and decrypted on the other end, so a
Ori Eisen:man in the middle cannot just open them up, cannot reuse them?
Ori Eisen:And furthermore, we've added a layer called anti replay knowing
Ori Eisen:that some of the malware will listen to our traffic, and will
Ori Eisen:simply try to replay it not knowing what the values are, but
Ori Eisen:they'll say, look, if it opened the door on Monday, it should
Ori Eisen:open the door on Tuesday. Alas, the answer is no. When you look
Ori Eisen:undercover into what we're doing, we've built mechanism
Ori Eisen:that if you send exactly the same transmission, again, we
Ori Eisen:would block it as saying this is not real. And this is not our
Ori Eisen:true persona or Trusona. So I can go into more details of how
Ori Eisen:the mechanics work. But for simplification, if you know how
Ori Eisen:PKI (Public Key Infrastructure) works, this is exactly it. We're
Ori Eisen:using the crypto store on your mobile phone to store a private
Ori Eisen:key that never leaves your phone. Hence it is distributed.
Ori Eisen:So Dave, if we put our identity on a million different phones,
Ori Eisen:and you are a hacker, you now need to crack a million phones
Ori Eisen:to get to them as opposed to one database filled with passwords.
Ori Eisen:So it's the same kind of technology, but now democratized
Ori Eisen:through the fact that most people have a smartphone and
Ori Eisen:have some kind of a biometric to unlock it.
Dr. Dave Chatterjee:Okay, okay. Good to know, good to know. So
Dr. Dave Chatterjee:when I was doing my research on this topic, and I was trying to
Dr. Dave Chatterjee:learn about the pros and cons of passwordless authentication,
Dr. Dave Chatterjee:something that came up was incompatibility with legacy
Dr. Dave Chatterjee:applications. Could you speak to that?
Ori Eisen:Absolutely. When we look into the future, and we see
Ori Eisen:protocols like FIDO (Fast Identity Online), we will
Ori Eisen:absolutely use it when you can. But the world is filled with
Ori Eisen:computers and systems that lived in the past and never knew this
Ori Eisen:new standard is coming. So we started way before FIDO existed
Ori Eisen:or became a standard, with some proprietary technology that
Ori Eisen:allows us to scan a QR code on an ATM, then move the session to
Ori Eisen:your mobile phone, extract the identity as we discussed before,
Ori Eisen:and send it to the backend to be authenticated. And if you're a
Ori Eisen:little bit more technical, or you know the IAM space, what
Ori Eisen:happens is that the backend sends a SAML (Security Assertion
Ori Eisen:Markup Language) assertion to the system to say, Yep, this is
Ori Eisen:Dave, please open his door. So with everything that does not
Ori Eisen:use the latest technology, we kind of downgrade the interface
Ori Eisen:to use either push notification or a QR scan to invoke the
Ori Eisen:process. But from there on the phones take it then we don't
Ori Eisen:need the older systems to have all the bits and pieces they
Ori Eisen:just need to be able to say, Yep, this is you in the same
Ori Eisen:exact way Dave that username and password would say, Yep, this is
Ori Eisen:you.
Dr. Dave Chatterjee:Okay, now, you mentioned FIDO. What is
Ori Eisen:FIDO is a protocol that began about 10 years ago,
Ori Eisen:FIDO?
Ori Eisen:to help take physical token keys, like almost a USB sticks,
Ori Eisen:and put a private, public key on those things in order to
Ori Eisen:authenticate. It's just that now every phone in the world has
Ori Eisen:that capability. So while I appreciate the efforts done
Ori Eisen:there, and I do think they are used in many cases that you
Ori Eisen:can't enter a phone into a secure room, totally get that,
Ori Eisen:for most consumers and our parents, the key is not to
Ori Eisen:change their UX (User Experienc ); if they log in into their
Ori Eisen:phone everyday by putting their fingerprint or if they are usi
Ori Eisen:g their face. Let them also i entify their true persona by doi
Ori Eisen:g the same thing, especially w en the underlying technology is
Ori Eisen:exactly the same. So I'm proponent of not changing the t
Ori Eisen:boo, not changing the security behavior, because then you
Ori Eisen:have something to overcome. L t's make it easy, ubiquitous a
Ori Eisen:d democratize it. Like we've de ocratized the use of F
Ori Eisen:cebook, right? or Instagram, ri ht? Let's use the ability of
Ori Eisen:having every form having biometr cs and an ability to store a cer
Ori Eisen:ificate to secure the identitie once and for all and st
Ori Eisen:p with the
Dr. Dave Chatterjee:Fantastic. So in the spirit of making it
Dr. Dave Chatterjee:easy, so it seems like we don't have to choose between
Dr. Dave Chatterjee:convenience or security, we can have the best of both the
Dr. Dave Chatterjee:worlds, right?
Ori Eisen:The answer is yes. And I know Dave, that many
Ori Eisen:people who are cynical will say, well, you say that. But
Ori Eisen:unfortunately, we have 60 years, 60 years of heritage where
Ori Eisen:security was always about adding another padlock to a door,
Ori Eisen:always. So management never wanted to add more security,
Ori Eisen:because it translated directly to more friction, which
Ori Eisen:translates directly to less sales. I mean, let's be honest,
Ori Eisen:if the marketing and sales people would control their
Ori Eisen:website, there would be no password, they'll just say come
Ori Eisen:in and buy something right. So that those two worlds always had
Ori Eisen:a friction. And when I was the head of Risk, it's one of the
Ori Eisen:largest credit card companies I witnessed this firsthand. I
Ori Eisen:wanted to help people stop being victims of fraud and ask them to
Ori Eisen:be more secure. It's just that in the very means I've asked
Ori Eisen:them to do it, they now get confused. And they forget what
Ori Eisen:the secret was. So they call me to tell me I got stuck. So it's
Ori Eisen:almost like you've given them enough rope. And they'll hang
Ori Eisen:themselves, right? Today, we live in a world where I love the
Ori Eisen:fact that the main platforms like Samsung and Apple and
Ori Eisen:Google have made it so easy to use biometrics, and have put it
Ori Eisen:on every phone. And all I'm saying is like why not harness
Ori Eisen:that ease with great security. And yes, you can have the best
Ori Eisen:of both worlds. But you couldn't say that 10 years ago.
Dr. Dave Chatterjee:Very true. Very true. Now the solution
Dr. Dave Chatterjee:sounds great. And we need to move in that direction. What
Dr. Dave Chatterjee:about the cost aspect of it? I've I've read that the cost
Dr. Dave Chatterjee:implications can be significant. Is there any truth to that?
Ori Eisen:So let's parse it down. I'll start I know this is
Ori Eisen:not a commercial, but I and other companies in our space,
Ori Eisen:encourage people to start with free solutions. Free as in not
Ori Eisen:even a contract. Go integrate the API (Application Programming
Ori Eisen:Interface) to your website, go tell people you can download
Ori Eisen:this app to get in. Just so you can see that the baby steps
Ori Eisen:could be taken today without any friction whatsoever because we
Ori Eisen:want the world to become passwordless right? After that,
Ori Eisen:if you have a brand issue and marketing and you want to do it,
Ori Eisen:as I said before, as a white label, yes, you need to pay but
Ori Eisen:to get going. Everybody who's listening to this podcast can
Ori Eisen:start Today, okay, so where are the costs? The costs are in
Ori Eisen:changing every time you train, let's say you have a company
Ori Eisen:with 10,000 employees. And up until now they've used username
Ori Eisen:and password and a an authenticator app with OTP (One
Ori Eisen:Time Password)? Yes, you need to send them emails to say next
Ori Eisen:month we're upgrading to passwordless, you will not use
Ori Eisen:this anymore. Here's how you will log in. Clearly there is an
Ori Eisen:adjustment period. And there might be some cost of people
Ori Eisen:asking questions, yes. But that compared to getting hacked that
Ori Eisen:compared to letting the bad guys win, that compared to every two
Ori Eisen:months, you get a call about I forgot my password, diminishes
Ori Eisen:completely. And that's really where the hurdle is. I don't
Ori Eisen:think it's in acquiring the software Dave anymore. It is all
Ori Eisen:about change management, and getting on a passwordless
Ori Eisen:journey, as we call it, because no one's gonna do a big bang
Ori Eisen:change and just change overnight. We don't recommend
Ori Eisen:that. But if you just change your desktops, and then you
Ori Eisen:change your SSO for the most part, no one's using passwords
Ori Eisen:anymore in your company.
Dr. Dave Chatterjee:Interesting, very interesting. What about the
Dr. Dave Chatterjee:regulations aspect of it, I was reading somewhere that --
Dr. Dave Chatterjee:regulations require clear information on data storage,
Dr. Dave Chatterjee:considering the sensitive nature of passwordless data when it
Dr. Dave Chatterjee:isn't stored appropriately, there could be a lot of issues,
Dr. Dave Chatterjee:would you? How would you react to this statement?
Ori Eisen:Yeah. First of all, I love the question. I'm going to
Ori Eisen:give the listeners an example of what does it really mean and now
Ori Eisen:how we're handling it. Say that we live 30 years in the past,
Ori Eisen:okay. And every time you come to inspect your vehicle, they need
Ori Eisen:to put something in your exhaust pipe to measure emissions, right
Ori Eisen:Dave? So you certify that you're not a polluter. Okay, now we
Ori Eisen:roll the tape 30 years, and the first Tesla comes off the
Ori Eisen:manufacturing. And they come to the DMV (Department of Motor
Ori Eisen:Vehicles), and the person there does not know where to stick the
Ori Eisen:thing to measure the emissions. So they might say, I'm sorry, I
Ori Eisen:can't certify you because my instrument to measure pollution
Ori Eisen:cannot be used because you don't have an exhaust pipe. But I hope
Ori Eisen:it is obvious to you and the listeners that: what do you
Ori Eisen:mean, this is like better than any exhaust ever, this doesn't
Ori Eisen:have any emissions. But there's a delta now between the forms
Ori Eisen:and the processes we've used in the past, which all relied on
Ori Eisen:having passwords, and the reality of no passwords. So I'll
Ori Eisen:give you an example. When an examiner comes to a bank and
Ori Eisen:says, Okay, I want to see that you guys are maintaining eight
Ori Eisen:characters and uppercase and but the bank says we don't have
Ori Eisen:passwords at all, like, we don't have them. So don't we don't
Ori Eisen:need to maintain them to belong. Sorry, that's a problem for me.
Ori Eisen:Because the process and the protocol, say your password must
Ori Eisen:be this length. You see the dichotomy. It's very similar to
Ori Eisen:a card, it doesn't have any emission, and you're trying to
Ori Eisen:measure its emissions. So the way we're solving it now, Dave,
Ori Eisen:is let CISOs (Chief Information Security Officers) keep any
Ori Eisen:password they want, it could be 200 characters in the system. So
Ori Eisen:when they examiners come, they say, Oh my god, you're the best
Ori Eisen:password I've ever seen. But in parentheses, no user is ever
Ori Eisen:going to use that. But that is really the period we go through
Ori Eisen:right now in order to appease the past, even though it makes
Ori Eisen:no sense anymore, right in a world without passwords. But we
Ori Eisen:don't want to fight it. We don't want to swim upstream. So we
Ori Eisen:just let CISOs store, whatever you want in your systems, show
Ori Eisen:it to your examiners. But your users will never need to know
Ori Eisen:this password nor use it and you as the CISO can change it every
Ori Eisen:week if you wanted to because it's now just a security gate.
Ori Eisen:It's not a usability hindrance or anything like that.
Dr. Dave Chatterjee:Okay, that's, that's very, very good
Dr. Dave Chatterjee:to know. What about privacy concerns? You think users, you
Dr. Dave Chatterjee:know, how would you alleviate privacy concerns amongst users?
Ori Eisen:Love that question. So going back to the fact that
Ori Eisen:we're using a public and private key, you can assign it to a very
Ori Eisen:long string that does not reveal the identity that can completely
Ori Eisen:be anonymous. But note that the only thing we can attest to the
Ori Eisen:SAML two assertion is like this key is back. But I can't say if
Ori Eisen:it's Dave or not, Dave. Okay, so that's the basic level, it could
Ori Eisen:be completely anonymous. And in fact, most of the hardware keys
Ori Eisen:we talked about before are anonymous, because you simply
Ori Eisen:don't know who purchased them. On top of it, we are big
Ori Eisen:believers in hanging an identity through the process of identity
Ori Eisen:proofing and it could be a minimum of email magic link. So
Ori Eisen:I'll send you an email you go click a link so I know you're
Ori Eisen:the owner of this link, all the way to a scan of a driver
Ori Eisen:license and checking the DMV (Department of Motor Vehicles)
Ori Eisen:that you really are who you say you are. verifying your phone
Ori Eisen:records. There are different services you can layer on top of
Ori Eisen:the baseline of just a certificate in order to know the
Ori Eisen:true persona. And that is key when you open a bank account,
Ori Eisen:and you need to go through AML (Anti-Money Laundering) and KYC
Ori Eisen:(Know Your Customer) checks, or you want to get your medical
Ori Eisen:records, and I really need to know I'm opening it up to Dave,
Ori Eisen:and not somebody who pretends to be Dave, right. So depending on
Ori Eisen:the use case, we can start with full anonymity all the way to as
Ori Eisen:much identity proofing as you want. But the core technology is
Ori Eisen:the same. And in all of these use cases, you don't need to
Ori Eisen:remember a static password. Wow.
Dr. Dave Chatterjee:Very, very interesting. All right, I keep
Dr. Dave Chatterjee:throwing questions at you, and you just address them so
Dr. Dave Chatterjee:effectively. Another question for you. So, you know, how does
Dr. Dave Chatterjee:passwordless authentication, you know, how, where does that
Dr. Dave Chatterjee:factor in, when it comes to multi factor authentication,
Dr. Dave Chatterjee:mobile multi factor authentication, how are how are
Dr. Dave Chatterjee:they connected?
Ori Eisen:Great question. In the past, we only had username
Ori Eisen:and password. And that is only one factor. And if you don't
Ori Eisen:mind, I'll give a primer to people who are hearing about
Ori Eisen:authentication for the first time. Now, there are only three
Ori Eisen:factors, something that you know, like a mother's maiden
Ori Eisen:name or a password, something that you are, which is usually
Ori Eisen:biometrics. So, template of your fingerprint of your iris
Ori Eisen:voiceprint and, or your face ID, or factor or something that you
Ori Eisen:have. And that could be a physical token, a document or
Ori Eisen:anything like that. So when you say multi factor, what you
Ori Eisen:really mean is that you have more than one factor being used
Ori Eisen:in the authentication. And to illustrate username and password
Ori Eisen:are both elements of something that you know, hence, it's a
Ori Eisen:single factor authentication. Now, if username and password
Ori Eisen:were really strong and secure and worked, you would never need
Ori Eisen:two factor, you will never need multi factor. Why? Because it
Ori Eisen:works. That's it. Because of data breaches, and everything
Ori Eisen:that you read in the news, having username and password
Ori Eisen:that is easily obtainable is just not good enough. And that
Ori Eisen:was the source in the early 80s, and mid 90s. To add a second
Ori Eisen:factor, and the poster child was RSA (Public Key encryption
Ori Eisen:technology developed by RSA Data Security) and their tokens that
Ori Eisen:change OTP (One Time Password) tokens that says, I'll give you
Ori Eisen:username and password, knowing that you could reveal them by
Ori Eisen:mistake to a fish or something like that. So now give you a
Ori Eisen:token that expires every 30 seconds. And that is something
Ori Eisen:that you have because it's a token physical possession. And
Ori Eisen:together, they created a two factor authentication system.
Ori Eisen:Okay. So how does it translate to the mobile phone? While a
Ori Eisen:mobile phone on its own is a token of something that you have
Ori Eisen:to factor something that you have, by the mere fact we placed
Ori Eisen:a certificate on it, we have high level of assurance that
Ori Eisen:this is the right certificate, because most of the phones today
Ori Eisen:have a biometric login into them, we can consider that as
Ori Eisen:something that you are. So face ID and the certificate gives you
Ori Eisen:two separate factors. It's just Dave they're not using the
Ori Eisen:original factor of something that you know, namely a
Ori Eisen:password, so we're still in 2 FA (Factor Authentication) or MFA
Ori Eisen:(Multi-Factor Authentication). But it does not use the single
Ori Eisen:factor of something that you know, like a password.
Dr. Dave Chatterjee:So, it becomes stronger multi factor
Dr. Dave Chatterjee:authentication becomes much more stronger and effective if you
Dr. Dave Chatterjee:were to go passwordless
Ori Eisen:correct. And to give you the example from before,
Ori Eisen:let's just say there's an organization and all their
Ori Eisen:customers passwords are in one database, if I breach that, I
Ori Eisen:basically got into all your accounts. However, if the same
Ori Eisen:organization puts a public key, and a private key on every one
Ori Eisen:of their customers phones, clearly the database doesn't
Ori Eisen:have those keys, because that's how PK (Public Key) works. That
Ori Eisen:means I'll have to go and hack one phone at a time, which I
Ori Eisen:hope demonstrates how effective it is. And that it lowers the
Ori Eisen:profitability for the bad guys, which is really what we're
Ori Eisen:after, to make it so difficult that they go do something else
Ori Eisen:and not try to hack the accounts.
Dr. Dave Chatterjee:Absolutely. Well, let's talk about the bad
Dr. Dave Chatterjee:guys. And let's talk about your motivation, what got you doing,
Dr. Dave Chatterjee:what you're doing, and all the great things you've been doing
Dr. Dave Chatterjee:and trying to reduce or fight online crime.
Ori Eisen:Our mission at Trusona is to curb online evil
Ori Eisen:and the funding of evil and I know it sounds very altruistic.
Ori Eisen:If you really track everywhere we put our software and what
Ori Eisen:happens after you see the attack rate goes down. What do I mean?
Ori Eisen:The bad guys who were there up to a week ago and could just
Ori Eisen:enter in with username and password, now get stuck. There
Ori Eisen:are simply no username and password fields to put in. And
Ori Eisen:they can't use their methods so they have to go elsewhere and
Ori Eisen:that curbs their funding. The way I got into it is, when I was
Ori Eisen:working at the large financial institution, I started seeing
Ori Eisen:how the crime happens, and who ends up benefiting from it if
Ori Eisen:you follow the money, and you'll see Dave, that losing the money
Ori Eisen:for the bank is not fun. But when the bad guys get a hold of
Ori Eisen:these funds, they use it for five things that are far worse,
Ori Eisen:like narcotics and human trafficking, and terrorism and
Ori Eisen:weapons smuggling and also child exploitation online. That is
Ori Eisen:what I'm after, when you see what evil is done with the money
Ori Eisen:that gets stolen, all of a sudden is no longer a job or
Ori Eisen:managing your risk on some excel sheet. It becomes a mission. And
Ori Eisen:I'm proud to tell you every Trusonaout that is working at
Ori Eisen:Trusona, part of their interview process, and part of how people
Ori Eisen:join this mission is to have that need to curb that, above
Ori Eisen:and beyond selling software to banks and healthcare companies
Ori Eisen:and so forth.
Dr. Dave Chatterjee:very commendable. I applaud your
Dr. Dave Chatterjee:efforts, I hope you continue to have great success. Along those
Dr. Dave Chatterjee:lines Ori, there are lots and lots of people out there who are
Dr. Dave Chatterjee:not very technically savvy, the level of cybersecurity awareness
Dr. Dave Chatterjee:around the world is okay, not great, based on my my experience
Dr. Dave Chatterjee:talking to the global community. So there's there's a need for a
Dr. Dave Chatterjee:lot of help. What tips or recommendations would you have
Dr. Dave Chatterjee:to anyone from protecting themselves from different types
Dr. Dave Chatterjee:of attacks? And I know this is a very broad question. And, you
Dr. Dave Chatterjee:know, it may not be possible to give a very comprehensive
Dr. Dave Chatterjee:response. But something is better than nothing. So give
Dr. Dave Chatterjee:some tips for our listeners.
Ori Eisen:Will do. So, let's take today, it's October 4, a
Ori Eisen:Monday that we're recording this 2021. In the news today, if you
Ori Eisen:load cnn.com, you'll see that the headline news is that
Ori Eisen:Facebook has been disrupted, okay. I assume that most of you
Ori Eisen:are Facebook users by design, or Instagram users. So assume that
Ori Eisen:today you were told, point blank, your account information
Ori Eisen:now resides in the underground is being sold. One way to think
Ori Eisen:about it is all is lost and our hair is on fire, and we can't do
Ori Eisen:anything. But everybody who listens to this podcast can do
Ori Eisen:one thing today, which will completely undo or usurp the bad
Ori Eisen:guys, change your password today, or as soon as Facebook is
Ori Eisen:up. I know you cant do it right this moment. But when you read
Ori Eisen:about the next hack, the next breach, whether you are a member
Ori Eisen:of that organization or not, that should be a very good
Ori Eisen:reminder for you to change your passwords. Why? Because the
Ori Eisen:moment you change it, who cares that the old ones were stolen,
Ori Eisen:it's like old keys to your house and you change the lock, it
Ori Eisen:doesn't matter anymore. Now I know some of you would say oh my
Ori Eisen:god with the rate of breaches today, I need to do it every
Ori Eisen:other day. Which by the way, is the very reason why we're
Ori Eisen:talking about this. That's why we want to get rid of passwords.
Ori Eisen:So as a society, we don't need to do it. But until the day we
Ori Eisen:really live a passwordless life. Take note, every two weeks,
Ori Eisen:every four weeks, every 90 days, just put a cadence to your
Ori Eisen:calendar just like you get a haircut then you go, you know,
Ori Eisen:to change the oil of your car, to change the password, at least
Ori Eisen:to your more important services like bank, healthcare, and so
Ori Eisen:forth. such that if the data will be breached, and I hope you
Ori Eisen:get the cynicism in my line, your data has been breached it
Ori Eisen:just you might know it or not. So assume that it was breached.
Ori Eisen:And by changing it, you are helping to curb the funding of
Ori Eisen:evil, just by switching the key and you can because it doesn't
Ori Eisen:cost you anything, again, it's just sheer will at this point.
Ori Eisen:It's not about money, it's not about difficulty, you know how
Ori Eisen:to change your password. So go do it. That's the first tip I
Ori Eisen:will give because then you are getting yourself out of the mass
Ori Eisen:hacks and you reduce the chances of you being hit.
Dr. Dave Chatterjee:Excellent. So changing your password is an
Dr. Dave Chatterjee:extremely important thing that you should be doing as Ori said.
Dr. Dave Chatterjee:Ori, if you could add a few other tips relating to how can
Dr. Dave Chatterjee:you have a strong password and what's the most effective way of
Dr. Dave Chatterjee:storing your password, though I, when people ask me, I say rather
Dr. Dave Chatterjee:than store try to remember; if you forget what's the worst that
Dr. Dave Chatterjee:can happen, you can, you have to go ahead and reset, that's
Dr. Dave Chatterjee:better than having it available somewhere that is accessible.
Dr. Dave Chatterjee:So, Ori, what are your thoughts about a strong password and how
Dr. Dave Chatterjee:best to store passwords?
Ori Eisen:Yeah, first of all, I want to agree with you and echo
Ori Eisen:what you said. One of the worst things I see people do is put
Ori Eisen:all their passwords in the password vault, and they protect
Ori Eisen:older passwords with a wait, here's a little sound. Password.
Ori Eisen:No, that's not good. How do you take all your passwords and
Ori Eisen:protect them with one password, that means if someone get to
Ori Eisen:that one master password, you have given away the keys to the
Ori Eisen:kingdom. Let me pause for effect. That is why I'm against
Ori Eisen:password vaults, because we're making it easy for the bad guys
Ori Eisen:to say you just need to guess one now in order to get the rest
Ori Eisen:of them right. So I'm not for that. If you want to create a
Ori Eisen:password that is both strong and memorable, again, I may go off
Ori Eisen:what most of the recommendations are, which is to create a long
Ori Eisen:password that is filled with letters and numbers. Those
Ori Eisen:suggestions have never come from human research. They've come
Ori Eisen:from very practical mathematician who said, this
Ori Eisen:will be harder to guess because of entropy. Now for all of you
Ori Eisen:who are CS students, yes, entropy is correct, but think
Ori Eisen:about your parents, they're a not a machine, they're not a
Ori Eisen:computer, the older they get, the faster they'll forget their
Ori Eisen:passwords, right. So we have to not keep propagating what
Ori Eisen:doesn't work, which is 20 character passwords with the,
Ori Eisen:you know, uppercase and lowercase, you have to give them
Ori Eisen:a different path to success. And clearly the password password or
Ori Eisen:123456 should not be what people use. So what I would recommend
Ori Eisen:is to use a passphrase. You can get to entropy, even though it's
Ori Eisen:less type of characters, but with more letters. So if you use
Ori Eisen:something like my password is my name, right, just that full
Ori Eisen:sentence, you have now made a password that may be 23 or 20
Ori Eisen:characters, but it's only a sentence very accessible and
Ori Eisen:does not have to have upper lower and a number.
Ori Eisen:Unfortunately, some websites will not let you use that
Ori Eisen:because of the propagation of forcing you with rules to pick
Ori Eisen:passwords that will be hard to remember, which will make you
Ori Eisen:forget them and call the service provider. So I know that's a
Ori Eisen:vicious cycle, that if you can pick something that is simply
Ori Eisen:long, that is pure sentence does not have to have special
Ori Eisen:characters that is way better than an eight character
Ori Eisen:password, that is with special characters.
Dr. Dave Chatterjee:Yeah, I couldn't agree with you more. So
Dr. Dave Chatterjee:having using a passphrase and changing your passwords
Dr. Dave Chatterjee:frequently and try not to store it anywhere. Because it's a myth
Dr. Dave Chatterjee:that if you use a password vault, people can't access
Dr. Dave Chatterjee:access it. People can, the server administrator has access
Dr. Dave Chatterjee:to that kind of information. So the less you put out there,
Dr. Dave Chatterjee:either on paper or even online, the better. Keeping it very
Dr. Dave Chatterjee:simple and keeping it jargon free. Fantastic. This was
Dr. Dave Chatterjee:fabulous. We covered a lot of topics. Now we need to do
Dr. Dave Chatterjee:something fun Ori, share with us that VC joke that I heard in one
Dr. Dave Chatterjee:of your other podcasts the other day. I think our listeners would
Dr. Dave Chatterjee:love to hear that joke.
Ori Eisen:How about I'll do this. I'll say I prepared the
Ori Eisen:different one for you today. I didn't even know you're gonna
Ori Eisen:ask, so I'll tell both and then in Edit, you can decide what you
Ori Eisen:want add. The VC joke goes like this, a man is in the hospital,
Ori Eisen:and he needs to go through a heart transplant. And the doctor
Ori Eisen:comes and say, Wow, you're in luck, we have three different
Ori Eisen:candidates to give a heart and all of them match your blood
Ori Eisen:type, so you can pick, so the patient says, Wow, tell me a
Ori Eisen:little bit about who the donors are. Says well, one donor is the
Ori Eisen:person who just died at the end of a race. They were an athlete,
Ori Eisen:everything about them is great, but they just had a heart
Ori Eisen:attack. So you can have their heart, says okay, what's the
Ori Eisen:second candidate, said the second candidate is somebody
Ori Eisen:who's very healthy, maintained a great lifestyle and just was hit
Ori Eisen:in an accident, said, Wow, that sounds good. Says, what's the
Ori Eisen:third one? Third one, is we got a VC, a person who's from the
Ori Eisen:venture capital community and he died unexpectedly today. And the
Ori Eisen:patient says, ahh, I want that heart for sure. And when the
Ori Eisen:doctor says why, why do you want that heart? He says, it has
Ori Eisen:never been used.
Dr. Dave Chatterjee:Love it, love it, and what's the other
Dr. Dave Chatterjee:one?
Ori Eisen:Okay, so I'll tell you now the second joke, which I
Ori Eisen:hope to tell today and to make it interesting and unique there
Ori Eisen:for you and your listeners. The husband is asking his wife
Ori Eisen:Honey, can you please remind me what did you set the bank
Ori Eisen:password to because I can't remember it? And she says, Are
Ori Eisen:you writing this down? He says yes I am. And she started
Ori Eisen:reading it. Mickey, Pluto, Rapunzel, and she goes on and on
Ori Eisen:and on., and then she says Washington, DC says oh my god,
Ori Eisen:this password is like 64 characters. Why did you make it
Ori Eisen:this, then the wife says, well, they said I need to use a
Ori Eisen:capital and eight special characters.
Dr. Dave Chatterjee:Love it, love it. Ori, it's been truly a
Dr. Dave Chatterjee:pleasure talking to you. Thank you for educating me and my
Dr. Dave Chatterjee:listeners and we learned so much today. We'd love to have you
Dr. Dave Chatterjee:back again to share more of your expertise and your thoughts. Any
Dr. Dave Chatterjee:final words to wrap up this session?
Ori Eisen:Ask yourself, why have you not pushed your service
Ori Eisen:providers to go passwordless? And if you're at work, ask your
Ori Eisen:team, why are we not prioritizing it? And start the
Ori Eisen:journey. I hope you can have some links to people who want to
Ori Eisen:try for free to start. I hope today, I'll say send me your
Ori Eisen:resume in a fax, you'll think that it's crazy. I hope that
Ori Eisen:using a password will be just as crazy a few years from now.
Dr. Dave Chatterjee:Thank you again Ori, it was a pleasure
Dr. Dave Chatterjee:having you. A special thanks to Ori Eisen, for his time and
Dr. Dave Chatterjee:insights. If you liked what you heard, please leave the podcast
Dr. Dave Chatterjee:a rating and share it with your network. Also subscribe to the
Dr. Dave Chatterjee:show, so you don't miss any new episodes. Thank you for
Dr. Dave Chatterjee:listening, and I'll see you in the next episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an AS IS BASIS with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.