Episode 10

Passwordless Authentication: Myths and Realities

Driven by a mission and passion to fight online crime, Ori Eisen, Founder and CEO of Trusona, explains the fundamentals of passwordless authentication and why it is a superior and simpler way of securing access. He also dispels several myths and addresses potential adoption hurdles, ranging from incompatibility with legacy applications to transition costs, regulatory compliance, privacy concerns, and more. Ori offers some valuable tips and recommendations to protect individuals from becoming victims of hacking. Finally, he shares some hilarious jokes at the end.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-10-passwordless-authentication-myths-and-realities/


----------------------------------------------------

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach, a recently published book by SAGE publishing. He has

Cybersecurity Readiness:

been studying cybersecurity for over a decade, authored and

Cybersecurity Readiness:

edited scholarly papers, delivered talks, conducted

Cybersecurity Readiness:

webinars and workshops, consulted with companies and

Cybersecurity Readiness:

served on a cybersecurity SWAT team with chief information

Cybersecurity Readiness:

security officers. Dr. Chatterjee is an Associate

Cybersecurity Readiness:

Professor of Management Information Systems at the Terry

Cybersecurity Readiness:

College of Business, the University of Georgia and

Cybersecurity Readiness:

Visiting Professor at Duke University's Pratt School of

Cybersecurity Readiness:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone. I'm delighted to

Dr. Dave Chatterjee:

welcome you to another episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast. Today, we will be talking about the myths and

Dr. Dave Chatterjee:

realities of passwordless authentication. I'm really

Dr. Dave Chatterjee:

excited to welcome our guest on today's show, Mr. Ori Eisen,

Dr. Dave Chatterjee:

truly, a highly distinguished player, member of the

Dr. Dave Chatterjee:

information technology community. He has spent the last

Dr. Dave Chatterjee:

two decades fighting online crime, and holds over two dozen

Dr. Dave Chatterjee:

cybersecurity patterns. He is the founder and CEO of Trusona,

Dr. Dave Chatterjee:

that offers the world's first insured authentication solution.

Dr. Dave Chatterjee:

Prior to founding Trusona, Ori was the founder at 41st

Dr. Dave Chatterjee:

parameter, the leading online fraud prevention and and

Dr. Dave Chatterjee:

detection solution for financial institutions that was acquired

Dr. Dave Chatterjee:

by Experian in 2013. And, prior to that, Mr. Eisen served as the

Dr. Dave Chatterjee:

Worldwide Fraud Director for American Express. And prior to

Dr. Dave Chatterjee:

that, Ori was the Director of Fraud Prevention for VeriSign

Dr. Dave Chatterjee:

Network Solutions. By developing new and innovative technologies,

Dr. Dave Chatterjee:

he skillfully reduced fraud losses by over 85% in just three

Dr. Dave Chatterjee:

months. So, it's truly a pleasure to have Ori on the show

Dr. Dave Chatterjee:

today. Welcome Ori!

Ori Eisen:

Thank you for having me, Dave, and hello to all the

Ori Eisen:

listeners.

Dr. Dave Chatterjee:

So Ori, when I was reading about your

Dr. Dave Chatterjee:

contributions about a passwordless world that we might

Dr. Dave Chatterjee:

be entering in the near future, I'm excited; and I have a whole

Dr. Dave Chatterjee:

bunch of questions. And I'm sure our listeners have similar

Dr. Dave Chatterjee:

questions as well. So let's get started. And if you could give

Dr. Dave Chatterjee:

us a little bit of a primer on what is passwordless

Dr. Dave Chatterjee:

authentication.

Ori Eisen:

In the 60s, when computing really took off, many

Ori Eisen:

people wanted to use a computer. And they got into the point of

Ori Eisen:

doing time sharing. So if you had 10 people trying to use the

Ori Eisen:

same mainframe, you got the hours one to two, and your

Ori Eisen:

friend got two to three. And in order to reserve your time slot

Ori Eisen:

they used a password; was easy and quick, everybody know how to

Ori Eisen:

do it. When the 90s come about, we are still using passwords.

Ori Eisen:

And again, maybe system admins and other people used it, but no

Ori Eisen:

one ever thought it would be embedded in every single factor

Ori Eisen:

of our life. And factor is used with a pun. I think today when

Ori Eisen:

you look at what happened to Facebook just a few hours ago

Ori Eisen:

and 1.5 billion users username and password leaked online. It

Ori Eisen:

really shows you how penetrable the world of cyber security is

Ori Eisen:

if we're only leaving passwords to be the gateway between you

Ori Eisen:

and your money, you and your identity you and your medical

Ori Eisen:

records and so forth. So in 2015, I joined both Ted Schlein

Ori Eisen:

from Kleiner Perkins and Frank Abagnale. on a journey to say,

Ori Eisen:

Hey, can we start a journey which I know everybody said

Ori Eisen:

can't be done. And it's difficult and it's, you know,

Ori Eisen:

hard to change the world. But we started this journey to say, why

Ori Eisen:

not what else needs to happen, Dave, for us to say, you know

Ori Eisen:

what, maybe passwords are not the most secure thing. And our

Ori Eisen:

parents are not security experts we should trust with creating

Ori Eisen:

long and complicated ends, passwords. So the whole idea of

Ori Eisen:

getting passwordless is to remove this factor, which as you

Ori Eisen:

probably know, contributes to 81% of all the data we see lost

Ori Eisen:

out there and just do away with it. Because the technology to do

Ori Eisen:

it is already in our pockets. It's just that we have not made

Ori Eisen:

an effort as a, you know, community to make that step.

Dr. Dave Chatterjee:

I couldn't agree with you more, it is such

Dr. Dave Chatterjee:

a great need, we need to move in that direction. Absolutely. In

Dr. Dave Chatterjee:

fact, I'm sure our listeners would like to know that

Dr. Dave Chatterjee:

according to the Verizon Data Breach Report, in 2019 alone,

Dr. Dave Chatterjee:

81% of hacking related breaches involved the use of lost or

Dr. Dave Chatterjee:

stolen credentials. And yet, we are still egulfed in the world

Dr. Dave Chatterjee:

of passwords. Gartner predicts that by 2022, 60% of large and

Dr. Dave Chatterjee:

global enterprises, and 90% of midsize enterprises will

Dr. Dave Chatterjee:

implement passwordless methods in more than 50% of use cases,

Dr. Dave Chatterjee:

that's a very good sign. So Ori, what are some, you know, it's

Dr. Dave Chatterjee:

too good to be true, right? Like even now, I hate to admit this,

Dr. Dave Chatterjee:

but I have to keep track of 50 or 60 different passwords.

Dr. Dave Chatterjee:

They're not totally different, but they are different. And I am

Dr. Dave Chatterjee:

kind of ashamed that I am I am still doing that. And I haven't

Dr. Dave Chatterjee:

come up with something more sophisticated. But I wonder you

Dr. Dave Chatterjee:

know, when there's a saying that when something is too good to be

Dr. Dave Chatterjee:

true, it probably is. So can you help dispel some of the myths

Dr. Dave Chatterjee:

around passwordless authentication?

Ori Eisen:

Dave, remembering 40 or 50 is good news. You're lucky

Ori Eisen:

if you're a system admin at a large company you have 200

Ori Eisen:

passwords you need to know. And many have to write them down,

Ori Eisen:

put them in an Excel sheet, or even get into a password vault.

Ori Eisen:

So the first thing I'll dispel is, why do I need to go

Ori Eisen:

passwordless if I'm using a password vault? Well, for two

Ori Eisen:

reasons. Putting your passwords into a password vault does not

Ori Eisen:

eliminate them. And if you were to inspect with Wireshark or

Ori Eisen:

Ethereal (network protocol analyzer), the connectivity

Ori Eisen:

between you and the server, you'll see that the password

Ori Eisen:

vault only saves you from remembering it, but it's still

Ori Eisen:

on the wire. So if you have malware or anything like a

Ori Eisen:

Man-In-The-Middle, you are still revealing your credentials. That

Ori Eisen:

is the main reason that I'm a big proponent of this. Yes,

Ori Eisen:

there's a UX (User Experience) aspect that it's easy to use.

Ori Eisen:

Yes, it will be saving money because less people will call

Ori Eisen:

your Help Desk to say I forgot my password, right. But from a

Ori Eisen:

security perspective, it's so easy just to get malware on a

Ori Eisen:

computer, wait for the good guy to get in. And that's it, you

Ori Eisen:

got their credentials, that is really what we need to change.

Ori Eisen:

So the first thing to dispel is that, you know, password vaults

Ori Eisen:

do not change that, right, they kind of put the passwords under

Ori Eisen:

the carpet, so to speak, so you don't see them. But let me tell

Ori Eisen:

you, they're still there, and they're still transmitted on the

Ori Eisen:

wire. The second thing I would dispel is, many companies in the

Ori Eisen:

space who were not ready, they were kind of caught flat footed

Ori Eisen:

by not having passwordless; devised very clever means and

Ori Eisen:

tricks to convince their customers that they have gone

Ori Eisen:

passwordless, even though they didn't; let me give you a

Ori Eisen:

classic example. Say that you log in from the same IP address

Ori Eisen:

every day, I can then tell my authentication system that if

Ori Eisen:

Dave comes in from the same IP to just let you sail through

Ori Eisen:

without needing to type username and password, so they call that

Ori Eisen:

quote unquote, passwordless. That is really called risk based

Ori Eisen:

authentication for those of you who are listening, and it still

Ori Eisen:

doesn't solve the core issue that if somebody gets a hold of

Ori Eisen:

your username and password, even if they come from a different IP

Ori Eisen:

address, yes, they will be challenged with it. And with

Ori Eisen:

those static credentials they can get in. So I just wanted you

Ori Eisen:

to see that just doing the little bit, the small move, is

Ori Eisen:

not really going to save our society from this scrooge of

Ori Eisen:

static passwords.

Dr. Dave Chatterjee:

Thank you for that. Thank you for that.

Dr. Dave Chatterjee:

That's very enlightening. So let's say if an organization

Dr. Dave Chatterjee:

wants to move in the direction of passwordless authentication,

Dr. Dave Chatterjee:

there are many methods of doing so. Right. And so how would you

Dr. Dave Chatterjee:

know what would be some factors that could influence an

Dr. Dave Chatterjee:

organizational decision of adopting a particular method?

Dr. Dave Chatterjee:

And if I'm wrong, please correct me. You are the expert here.

Ori Eisen:

Yeah, let me tell you after doing this now for five

Ori Eisen:

years, what I would recommend everybody who's listening,

Ori Eisen:

whether they have their own website or blog on a personal

Ori Eisen:

level, or they're working for a company. Early on in our

Ori Eisen:

journey, we offered it and still do a free plugin for WordPress.

Ori Eisen:

WordPress is one of the most prolific website editors, go

Ori Eisen:

implement Trusona for your WordPress site, even if it's

Ori Eisen:

your personal site and play with it, experience it, try to beat

Ori Eisen:

it, try to hack it, try to see, what would it take to break it.

Ori Eisen:

And after you have that epiphany, ask yourself as a

Ori Eisen:

consumer and ask yourself as a security practitioner, well, why

Ori Eisen:

aren't we doing this everywhere? The reason we have given this

Ori Eisen:

for free, other than to learn user behavior and perfect

Ori Eisen:

software, is to give people something to start with.

Ori Eisen:

Otherwise, I agree with you, Dave, it feels like a bridge too

Ori Eisen:

far. Like, it's too good to be true. No, the year is now the

Ori Eisen:

time is here. Go try something because it's free. So you can't

Ori Eisen:

say I can't get the money to do it. It's not about money

Ori Eisen:

anymore. The delta between going passwordless or not, on many of

Ori Eisen:

the systems is just your sheer will. That's it. Now, I would

Ori Eisen:

assure you that in many cases, when we offer it to consumers,

Ori Eisen:

it's free. So that's not a reason for an organization not

Ori Eisen:

to take it. But yes, you need to use the Trusona app, so but

Ori Eisen:

people who don't want to see our brand, and want to buy our stuff

Ori Eisen:

as a white label, sure, you need to pay at some point. But the

Ori Eisen:

point is, it's so easy to get started now with integrations to

Ori Eisen:

most systems, most, you know, SAS (Software-As-A-Service)

Ori Eisen:

ervices that you cannot fin any excuse of it's too diffi

Ori Eisen:

ult or too expensive or too hard We have taken that off the t

Ori Eisen:

ble. Now it's all about the shee will of people to stop using

Ori Eisen:

passwords, and curb the funding f evil. And we can talk about th

Ori Eisen:

t as we go through

Dr. Dave Chatterjee:

Yes, in fact, I want to also inform the

Dr. Dave Chatterjee:

listeners that you are one of those people who's who's very

Dr. Dave Chatterjee:

big on fighting online crime. He's dedicated his life to

Dr. Dave Chatterjee:

fighting online crime. He volunteers with Thorn, the

Dr. Dave Chatterjee:

digital defenders of children. He founded Ball to All, a

Dr. Dave Chatterjee:

charity that donates free soccer balls around the world to

Dr. Dave Chatterjee:

children who have never had one. He's a founding member of

Dr. Dave Chatterjee:

Security Canyon, Arizona's cybersecurity coalition. So Ori

Dr. Dave Chatterjee:

is truly a wonderful human being. And it's such a pleasure

Dr. Dave Chatterjee:

to have him on the show today. So, Ori, following up on what

Dr. Dave Chatterjee:

you were talking about, and pardon me if I'm repeating

Dr. Dave Chatterjee:

myself here, but a little bit of redundancy never hurts. So when

Dr. Dave Chatterjee:

we say passwordless authentication. So how are users

Dr. Dave Chatterjee:

being authenticated? And what about that information that is

Dr. Dave Chatterjee:

being used to authenticate individuals? How is that secure?

Dr. Dave Chatterjee:

And if that falls in the hands of the wrong, folks, isn't that

Dr. Dave Chatterjee:

concerning?

Ori Eisen:

Great questions. So let's take two steps back. And

Ori Eisen:

again, help demystify what is passwordless authentication. The

Ori Eisen:

first thing to know is that it does not use static passwords

Ori Eisen:

that users pick. So that's the first thing to know. So

Ori Eisen:

obviously, you can ask, Well, what does it use? It used the

Ori Eisen:

very same architecture and technology we already have used

Ori Eisen:

for e commerce in the form of HTTPS (Hyper Text Transfer

Ori Eisen:

Protocol Secure) certificates, and public and private keys

Ori Eisen:

(encryption methods). So if you buy into the notion that it's

Ori Eisen:

better to send my credit card online, when it is encrypted,

Ori Eisen:

and I have the private key, and the other side have their own

Ori Eisen:

private key, and we have a common public key, and you agree

Ori Eisen:

mathematically that this is safe. What if I told you that

Ori Eisen:

the credentials we use are just like a credit card that is then

Ori Eisen:

encrypted on one end, and decrypted on the other end, so a

Ori Eisen:

man in the middle cannot just open them up, cannot reuse them?

Ori Eisen:

And furthermore, we've added a layer called anti replay knowing

Ori Eisen:

that some of the malware will listen to our traffic, and will

Ori Eisen:

simply try to replay it not knowing what the values are, but

Ori Eisen:

they'll say, look, if it opened the door on Monday, it should

Ori Eisen:

open the door on Tuesday. Alas, the answer is no. When you look

Ori Eisen:

undercover into what we're doing, we've built mechanism

Ori Eisen:

that if you send exactly the same transmission, again, we

Ori Eisen:

would block it as saying this is not real. And this is not our

Ori Eisen:

true persona or Trusona. So I can go into more details of how

Ori Eisen:

the mechanics work. But for simplification, if you know how

Ori Eisen:

PKI (Public Key Infrastructure) works, this is exactly it. We're

Ori Eisen:

using the crypto store on your mobile phone to store a private

Ori Eisen:

key that never leaves your phone. Hence it is distributed.

Ori Eisen:

So Dave, if we put our identity on a million different phones,

Ori Eisen:

and you are a hacker, you now need to crack a million phones

Ori Eisen:

to get to them as opposed to one database filled with passwords.

Ori Eisen:

So it's the same kind of technology, but now democratized

Ori Eisen:

through the fact that most people have a smartphone and

Ori Eisen:

have some kind of a biometric to unlock it.

Dr. Dave Chatterjee:

Okay, okay. Good to know, good to know. So

Dr. Dave Chatterjee:

when I was doing my research on this topic, and I was trying to

Dr. Dave Chatterjee:

learn about the pros and cons of passwordless authentication,

Dr. Dave Chatterjee:

something that came up was incompatibility with legacy

Dr. Dave Chatterjee:

applications. Could you speak to that?

Ori Eisen:

Absolutely. When we look into the future, and we see

Ori Eisen:

protocols like FIDO (Fast Identity Online), we will

Ori Eisen:

absolutely use it when you can. But the world is filled with

Ori Eisen:

computers and systems that lived in the past and never knew this

Ori Eisen:

new standard is coming. So we started way before FIDO existed

Ori Eisen:

or became a standard, with some proprietary technology that

Ori Eisen:

allows us to scan a QR code on an ATM, then move the session to

Ori Eisen:

your mobile phone, extract the identity as we discussed before,

Ori Eisen:

and send it to the backend to be authenticated. And if you're a

Ori Eisen:

little bit more technical, or you know the IAM space, what

Ori Eisen:

happens is that the backend sends a SAML (Security Assertion

Ori Eisen:

Markup Language) assertion to the system to say, Yep, this is

Ori Eisen:

Dave, please open his door. So with everything that does not

Ori Eisen:

use the latest technology, we kind of downgrade the interface

Ori Eisen:

to use either push notification or a QR scan to invoke the

Ori Eisen:

process. But from there on the phones take it then we don't

Ori Eisen:

need the older systems to have all the bits and pieces they

Ori Eisen:

just need to be able to say, Yep, this is you in the same

Ori Eisen:

exact way Dave that username and password would say, Yep, this is

Ori Eisen:

you.

Dr. Dave Chatterjee:

Okay, now, you mentioned FIDO. What is

Ori Eisen:

FIDO is a protocol that began about 10 years ago,

Ori Eisen:

FIDO?

Ori Eisen:

to help take physical token keys, like almost a USB sticks,

Ori Eisen:

and put a private, public key on those things in order to

Ori Eisen:

authenticate. It's just that now every phone in the world has

Ori Eisen:

that capability. So while I appreciate the efforts done

Ori Eisen:

there, and I do think they are used in many cases that you

Ori Eisen:

can't enter a phone into a secure room, totally get that,

Ori Eisen:

for most consumers and our parents, the key is not to

Ori Eisen:

change their UX (User Experienc ); if they log in into their

Ori Eisen:

phone everyday by putting their fingerprint or if they are usi

Ori Eisen:

g their face. Let them also i entify their true persona by doi

Ori Eisen:

g the same thing, especially w en the underlying technology is

Ori Eisen:

exactly the same. So I'm proponent of not changing the t

Ori Eisen:

boo, not changing the security behavior, because then you

Ori Eisen:

have something to overcome. L t's make it easy, ubiquitous a

Ori Eisen:

d democratize it. Like we've de ocratized the use of F

Ori Eisen:

cebook, right? or Instagram, ri ht? Let's use the ability of

Ori Eisen:

having every form having biometr cs and an ability to store a cer

Ori Eisen:

ificate to secure the identitie once and for all and st

Ori Eisen:

p with the

Dr. Dave Chatterjee:

Fantastic. So in the spirit of making it

Dr. Dave Chatterjee:

easy, so it seems like we don't have to choose between

Dr. Dave Chatterjee:

convenience or security, we can have the best of both the

Dr. Dave Chatterjee:

worlds, right?

Ori Eisen:

The answer is yes. And I know Dave, that many

Ori Eisen:

people who are cynical will say, well, you say that. But

Ori Eisen:

unfortunately, we have 60 years, 60 years of heritage where

Ori Eisen:

security was always about adding another padlock to a door,

Ori Eisen:

always. So management never wanted to add more security,

Ori Eisen:

because it translated directly to more friction, which

Ori Eisen:

translates directly to less sales. I mean, let's be honest,

Ori Eisen:

if the marketing and sales people would control their

Ori Eisen:

website, there would be no password, they'll just say come

Ori Eisen:

in and buy something right. So that those two worlds always had

Ori Eisen:

a friction. And when I was the head of Risk, it's one of the

Ori Eisen:

largest credit card companies I witnessed this firsthand. I

Ori Eisen:

wanted to help people stop being victims of fraud and ask them to

Ori Eisen:

be more secure. It's just that in the very means I've asked

Ori Eisen:

them to do it, they now get confused. And they forget what

Ori Eisen:

the secret was. So they call me to tell me I got stuck. So it's

Ori Eisen:

almost like you've given them enough rope. And they'll hang

Ori Eisen:

themselves, right? Today, we live in a world where I love the

Ori Eisen:

fact that the main platforms like Samsung and Apple and

Ori Eisen:

Google have made it so easy to use biometrics, and have put it

Ori Eisen:

on every phone. And all I'm saying is like why not harness

Ori Eisen:

that ease with great security. And yes, you can have the best

Ori Eisen:

of both worlds. But you couldn't say that 10 years ago.

Dr. Dave Chatterjee:

Very true. Very true. Now the solution

Dr. Dave Chatterjee:

sounds great. And we need to move in that direction. What

Dr. Dave Chatterjee:

about the cost aspect of it? I've I've read that the cost

Dr. Dave Chatterjee:

implications can be significant. Is there any truth to that?

Ori Eisen:

So let's parse it down. I'll start I know this is

Ori Eisen:

not a commercial, but I and other companies in our space,

Ori Eisen:

encourage people to start with free solutions. Free as in not

Ori Eisen:

even a contract. Go integrate the API (Application Programming

Ori Eisen:

Interface) to your website, go tell people you can download

Ori Eisen:

this app to get in. Just so you can see that the baby steps

Ori Eisen:

could be taken today without any friction whatsoever because we

Ori Eisen:

want the world to become passwordless right? After that,

Ori Eisen:

if you have a brand issue and marketing and you want to do it,

Ori Eisen:

as I said before, as a white label, yes, you need to pay but

Ori Eisen:

to get going. Everybody who's listening to this podcast can

Ori Eisen:

start Today, okay, so where are the costs? The costs are in

Ori Eisen:

changing every time you train, let's say you have a company

Ori Eisen:

with 10,000 employees. And up until now they've used username

Ori Eisen:

and password and a an authenticator app with OTP (One

Ori Eisen:

Time Password)? Yes, you need to send them emails to say next

Ori Eisen:

month we're upgrading to passwordless, you will not use

Ori Eisen:

this anymore. Here's how you will log in. Clearly there is an

Ori Eisen:

adjustment period. And there might be some cost of people

Ori Eisen:

asking questions, yes. But that compared to getting hacked that

Ori Eisen:

compared to letting the bad guys win, that compared to every two

Ori Eisen:

months, you get a call about I forgot my password, diminishes

Ori Eisen:

completely. And that's really where the hurdle is. I don't

Ori Eisen:

think it's in acquiring the software Dave anymore. It is all

Ori Eisen:

about change management, and getting on a passwordless

Ori Eisen:

journey, as we call it, because no one's gonna do a big bang

Ori Eisen:

change and just change overnight. We don't recommend

Ori Eisen:

that. But if you just change your desktops, and then you

Ori Eisen:

change your SSO for the most part, no one's using passwords

Ori Eisen:

anymore in your company.

Dr. Dave Chatterjee:

Interesting, very interesting. What about the

Dr. Dave Chatterjee:

regulations aspect of it, I was reading somewhere that --

Dr. Dave Chatterjee:

regulations require clear information on data storage,

Dr. Dave Chatterjee:

considering the sensitive nature of passwordless data when it

Dr. Dave Chatterjee:

isn't stored appropriately, there could be a lot of issues,

Dr. Dave Chatterjee:

would you? How would you react to this statement?

Ori Eisen:

Yeah. First of all, I love the question. I'm going to

Ori Eisen:

give the listeners an example of what does it really mean and now

Ori Eisen:

how we're handling it. Say that we live 30 years in the past,

Ori Eisen:

okay. And every time you come to inspect your vehicle, they need

Ori Eisen:

to put something in your exhaust pipe to measure emissions, right

Ori Eisen:

Dave? So you certify that you're not a polluter. Okay, now we

Ori Eisen:

roll the tape 30 years, and the first Tesla comes off the

Ori Eisen:

manufacturing. And they come to the DMV (Department of Motor

Ori Eisen:

Vehicles), and the person there does not know where to stick the

Ori Eisen:

thing to measure the emissions. So they might say, I'm sorry, I

Ori Eisen:

can't certify you because my instrument to measure pollution

Ori Eisen:

cannot be used because you don't have an exhaust pipe. But I hope

Ori Eisen:

it is obvious to you and the listeners that: what do you

Ori Eisen:

mean, this is like better than any exhaust ever, this doesn't

Ori Eisen:

have any emissions. But there's a delta now between the forms

Ori Eisen:

and the processes we've used in the past, which all relied on

Ori Eisen:

having passwords, and the reality of no passwords. So I'll

Ori Eisen:

give you an example. When an examiner comes to a bank and

Ori Eisen:

says, Okay, I want to see that you guys are maintaining eight

Ori Eisen:

characters and uppercase and but the bank says we don't have

Ori Eisen:

passwords at all, like, we don't have them. So don't we don't

Ori Eisen:

need to maintain them to belong. Sorry, that's a problem for me.

Ori Eisen:

Because the process and the protocol, say your password must

Ori Eisen:

be this length. You see the dichotomy. It's very similar to

Ori Eisen:

a card, it doesn't have any emission, and you're trying to

Ori Eisen:

measure its emissions. So the way we're solving it now, Dave,

Ori Eisen:

is let CISOs (Chief Information Security Officers) keep any

Ori Eisen:

password they want, it could be 200 characters in the system. So

Ori Eisen:

when they examiners come, they say, Oh my god, you're the best

Ori Eisen:

password I've ever seen. But in parentheses, no user is ever

Ori Eisen:

going to use that. But that is really the period we go through

Ori Eisen:

right now in order to appease the past, even though it makes

Ori Eisen:

no sense anymore, right in a world without passwords. But we

Ori Eisen:

don't want to fight it. We don't want to swim upstream. So we

Ori Eisen:

just let CISOs store, whatever you want in your systems, show

Ori Eisen:

it to your examiners. But your users will never need to know

Ori Eisen:

this password nor use it and you as the CISO can change it every

Ori Eisen:

week if you wanted to because it's now just a security gate.

Ori Eisen:

It's not a usability hindrance or anything like that.

Dr. Dave Chatterjee:

Okay, that's, that's very, very good

Dr. Dave Chatterjee:

to know. What about privacy concerns? You think users, you

Dr. Dave Chatterjee:

know, how would you alleviate privacy concerns amongst users?

Ori Eisen:

Love that question. So going back to the fact that

Ori Eisen:

we're using a public and private key, you can assign it to a very

Ori Eisen:

long string that does not reveal the identity that can completely

Ori Eisen:

be anonymous. But note that the only thing we can attest to the

Ori Eisen:

SAML two assertion is like this key is back. But I can't say if

Ori Eisen:

it's Dave or not, Dave. Okay, so that's the basic level, it could

Ori Eisen:

be completely anonymous. And in fact, most of the hardware keys

Ori Eisen:

we talked about before are anonymous, because you simply

Ori Eisen:

don't know who purchased them. On top of it, we are big

Ori Eisen:

believers in hanging an identity through the process of identity

Ori Eisen:

proofing and it could be a minimum of email magic link. So

Ori Eisen:

I'll send you an email you go click a link so I know you're

Ori Eisen:

the owner of this link, all the way to a scan of a driver

Ori Eisen:

license and checking the DMV (Department of Motor Vehicles)

Ori Eisen:

that you really are who you say you are. verifying your phone

Ori Eisen:

records. There are different services you can layer on top of

Ori Eisen:

the baseline of just a certificate in order to know the

Ori Eisen:

true persona. And that is key when you open a bank account,

Ori Eisen:

and you need to go through AML (Anti-Money Laundering) and KYC

Ori Eisen:

(Know Your Customer) checks, or you want to get your medical

Ori Eisen:

records, and I really need to know I'm opening it up to Dave,

Ori Eisen:

and not somebody who pretends to be Dave, right. So depending on

Ori Eisen:

the use case, we can start with full anonymity all the way to as

Ori Eisen:

much identity proofing as you want. But the core technology is

Ori Eisen:

the same. And in all of these use cases, you don't need to

Ori Eisen:

remember a static password. Wow.

Dr. Dave Chatterjee:

Very, very interesting. All right, I keep

Dr. Dave Chatterjee:

throwing questions at you, and you just address them so

Dr. Dave Chatterjee:

effectively. Another question for you. So, you know, how does

Dr. Dave Chatterjee:

passwordless authentication, you know, how, where does that

Dr. Dave Chatterjee:

factor in, when it comes to multi factor authentication,

Dr. Dave Chatterjee:

mobile multi factor authentication, how are how are

Dr. Dave Chatterjee:

they connected?

Ori Eisen:

Great question. In the past, we only had username

Ori Eisen:

and password. And that is only one factor. And if you don't

Ori Eisen:

mind, I'll give a primer to people who are hearing about

Ori Eisen:

authentication for the first time. Now, there are only three

Ori Eisen:

factors, something that you know, like a mother's maiden

Ori Eisen:

name or a password, something that you are, which is usually

Ori Eisen:

biometrics. So, template of your fingerprint of your iris

Ori Eisen:

voiceprint and, or your face ID, or factor or something that you

Ori Eisen:

have. And that could be a physical token, a document or

Ori Eisen:

anything like that. So when you say multi factor, what you

Ori Eisen:

really mean is that you have more than one factor being used

Ori Eisen:

in the authentication. And to illustrate username and password

Ori Eisen:

are both elements of something that you know, hence, it's a

Ori Eisen:

single factor authentication. Now, if username and password

Ori Eisen:

were really strong and secure and worked, you would never need

Ori Eisen:

two factor, you will never need multi factor. Why? Because it

Ori Eisen:

works. That's it. Because of data breaches, and everything

Ori Eisen:

that you read in the news, having username and password

Ori Eisen:

that is easily obtainable is just not good enough. And that

Ori Eisen:

was the source in the early 80s, and mid 90s. To add a second

Ori Eisen:

factor, and the poster child was RSA (Public Key encryption

Ori Eisen:

technology developed by RSA Data Security) and their tokens that

Ori Eisen:

change OTP (One Time Password) tokens that says, I'll give you

Ori Eisen:

username and password, knowing that you could reveal them by

Ori Eisen:

mistake to a fish or something like that. So now give you a

Ori Eisen:

token that expires every 30 seconds. And that is something

Ori Eisen:

that you have because it's a token physical possession. And

Ori Eisen:

together, they created a two factor authentication system.

Ori Eisen:

Okay. So how does it translate to the mobile phone? While a

Ori Eisen:

mobile phone on its own is a token of something that you have

Ori Eisen:

to factor something that you have, by the mere fact we placed

Ori Eisen:

a certificate on it, we have high level of assurance that

Ori Eisen:

this is the right certificate, because most of the phones today

Ori Eisen:

have a biometric login into them, we can consider that as

Ori Eisen:

something that you are. So face ID and the certificate gives you

Ori Eisen:

two separate factors. It's just Dave they're not using the

Ori Eisen:

original factor of something that you know, namely a

Ori Eisen:

password, so we're still in 2 FA (Factor Authentication) or MFA

Ori Eisen:

(Multi-Factor Authentication). But it does not use the single

Ori Eisen:

factor of something that you know, like a password.

Dr. Dave Chatterjee:

So, it becomes stronger multi factor

Dr. Dave Chatterjee:

authentication becomes much more stronger and effective if you

Dr. Dave Chatterjee:

were to go passwordless

Ori Eisen:

correct. And to give you the example from before,

Ori Eisen:

let's just say there's an organization and all their

Ori Eisen:

customers passwords are in one database, if I breach that, I

Ori Eisen:

basically got into all your accounts. However, if the same

Ori Eisen:

organization puts a public key, and a private key on every one

Ori Eisen:

of their customers phones, clearly the database doesn't

Ori Eisen:

have those keys, because that's how PK (Public Key) works. That

Ori Eisen:

means I'll have to go and hack one phone at a time, which I

Ori Eisen:

hope demonstrates how effective it is. And that it lowers the

Ori Eisen:

profitability for the bad guys, which is really what we're

Ori Eisen:

after, to make it so difficult that they go do something else

Ori Eisen:

and not try to hack the accounts.

Dr. Dave Chatterjee:

Absolutely. Well, let's talk about the bad

Dr. Dave Chatterjee:

guys. And let's talk about your motivation, what got you doing,

Dr. Dave Chatterjee:

what you're doing, and all the great things you've been doing

Dr. Dave Chatterjee:

and trying to reduce or fight online crime.

Ori Eisen:

Our mission at Trusona is to curb online evil

Ori Eisen:

and the funding of evil and I know it sounds very altruistic.

Ori Eisen:

If you really track everywhere we put our software and what

Ori Eisen:

happens after you see the attack rate goes down. What do I mean?

Ori Eisen:

The bad guys who were there up to a week ago and could just

Ori Eisen:

enter in with username and password, now get stuck. There

Ori Eisen:

are simply no username and password fields to put in. And

Ori Eisen:

they can't use their methods so they have to go elsewhere and

Ori Eisen:

that curbs their funding. The way I got into it is, when I was

Ori Eisen:

working at the large financial institution, I started seeing

Ori Eisen:

how the crime happens, and who ends up benefiting from it if

Ori Eisen:

you follow the money, and you'll see Dave, that losing the money

Ori Eisen:

for the bank is not fun. But when the bad guys get a hold of

Ori Eisen:

these funds, they use it for five things that are far worse,

Ori Eisen:

like narcotics and human trafficking, and terrorism and

Ori Eisen:

weapons smuggling and also child exploitation online. That is

Ori Eisen:

what I'm after, when you see what evil is done with the money

Ori Eisen:

that gets stolen, all of a sudden is no longer a job or

Ori Eisen:

managing your risk on some excel sheet. It becomes a mission. And

Ori Eisen:

I'm proud to tell you every Trusonaout that is working at

Ori Eisen:

Trusona, part of their interview process, and part of how people

Ori Eisen:

join this mission is to have that need to curb that, above

Ori Eisen:

and beyond selling software to banks and healthcare companies

Ori Eisen:

and so forth.

Dr. Dave Chatterjee:

very commendable. I applaud your

Dr. Dave Chatterjee:

efforts, I hope you continue to have great success. Along those

Dr. Dave Chatterjee:

lines Ori, there are lots and lots of people out there who are

Dr. Dave Chatterjee:

not very technically savvy, the level of cybersecurity awareness

Dr. Dave Chatterjee:

around the world is okay, not great, based on my my experience

Dr. Dave Chatterjee:

talking to the global community. So there's there's a need for a

Dr. Dave Chatterjee:

lot of help. What tips or recommendations would you have

Dr. Dave Chatterjee:

to anyone from protecting themselves from different types

Dr. Dave Chatterjee:

of attacks? And I know this is a very broad question. And, you

Dr. Dave Chatterjee:

know, it may not be possible to give a very comprehensive

Dr. Dave Chatterjee:

response. But something is better than nothing. So give

Dr. Dave Chatterjee:

some tips for our listeners.

Ori Eisen:

Will do. So, let's take today, it's October 4, a

Ori Eisen:

Monday that we're recording this 2021. In the news today, if you

Ori Eisen:

load cnn.com, you'll see that the headline news is that

Ori Eisen:

Facebook has been disrupted, okay. I assume that most of you

Ori Eisen:

are Facebook users by design, or Instagram users. So assume that

Ori Eisen:

today you were told, point blank, your account information

Ori Eisen:

now resides in the underground is being sold. One way to think

Ori Eisen:

about it is all is lost and our hair is on fire, and we can't do

Ori Eisen:

anything. But everybody who listens to this podcast can do

Ori Eisen:

one thing today, which will completely undo or usurp the bad

Ori Eisen:

guys, change your password today, or as soon as Facebook is

Ori Eisen:

up. I know you cant do it right this moment. But when you read

Ori Eisen:

about the next hack, the next breach, whether you are a member

Ori Eisen:

of that organization or not, that should be a very good

Ori Eisen:

reminder for you to change your passwords. Why? Because the

Ori Eisen:

moment you change it, who cares that the old ones were stolen,

Ori Eisen:

it's like old keys to your house and you change the lock, it

Ori Eisen:

doesn't matter anymore. Now I know some of you would say oh my

Ori Eisen:

god with the rate of breaches today, I need to do it every

Ori Eisen:

other day. Which by the way, is the very reason why we're

Ori Eisen:

talking about this. That's why we want to get rid of passwords.

Ori Eisen:

So as a society, we don't need to do it. But until the day we

Ori Eisen:

really live a passwordless life. Take note, every two weeks,

Ori Eisen:

every four weeks, every 90 days, just put a cadence to your

Ori Eisen:

calendar just like you get a haircut then you go, you know,

Ori Eisen:

to change the oil of your car, to change the password, at least

Ori Eisen:

to your more important services like bank, healthcare, and so

Ori Eisen:

forth. such that if the data will be breached, and I hope you

Ori Eisen:

get the cynicism in my line, your data has been breached it

Ori Eisen:

just you might know it or not. So assume that it was breached.

Ori Eisen:

And by changing it, you are helping to curb the funding of

Ori Eisen:

evil, just by switching the key and you can because it doesn't

Ori Eisen:

cost you anything, again, it's just sheer will at this point.

Ori Eisen:

It's not about money, it's not about difficulty, you know how

Ori Eisen:

to change your password. So go do it. That's the first tip I

Ori Eisen:

will give because then you are getting yourself out of the mass

Ori Eisen:

hacks and you reduce the chances of you being hit.

Dr. Dave Chatterjee:

Excellent. So changing your password is an

Dr. Dave Chatterjee:

extremely important thing that you should be doing as Ori said.

Dr. Dave Chatterjee:

Ori, if you could add a few other tips relating to how can

Dr. Dave Chatterjee:

you have a strong password and what's the most effective way of

Dr. Dave Chatterjee:

storing your password, though I, when people ask me, I say rather

Dr. Dave Chatterjee:

than store try to remember; if you forget what's the worst that

Dr. Dave Chatterjee:

can happen, you can, you have to go ahead and reset, that's

Dr. Dave Chatterjee:

better than having it available somewhere that is accessible.

Dr. Dave Chatterjee:

So, Ori, what are your thoughts about a strong password and how

Dr. Dave Chatterjee:

best to store passwords?

Ori Eisen:

Yeah, first of all, I want to agree with you and echo

Ori Eisen:

what you said. One of the worst things I see people do is put

Ori Eisen:

all their passwords in the password vault, and they protect

Ori Eisen:

older passwords with a wait, here's a little sound. Password.

Ori Eisen:

No, that's not good. How do you take all your passwords and

Ori Eisen:

protect them with one password, that means if someone get to

Ori Eisen:

that one master password, you have given away the keys to the

Ori Eisen:

kingdom. Let me pause for effect. That is why I'm against

Ori Eisen:

password vaults, because we're making it easy for the bad guys

Ori Eisen:

to say you just need to guess one now in order to get the rest

Ori Eisen:

of them right. So I'm not for that. If you want to create a

Ori Eisen:

password that is both strong and memorable, again, I may go off

Ori Eisen:

what most of the recommendations are, which is to create a long

Ori Eisen:

password that is filled with letters and numbers. Those

Ori Eisen:

suggestions have never come from human research. They've come

Ori Eisen:

from very practical mathematician who said, this

Ori Eisen:

will be harder to guess because of entropy. Now for all of you

Ori Eisen:

who are CS students, yes, entropy is correct, but think

Ori Eisen:

about your parents, they're a not a machine, they're not a

Ori Eisen:

computer, the older they get, the faster they'll forget their

Ori Eisen:

passwords, right. So we have to not keep propagating what

Ori Eisen:

doesn't work, which is 20 character passwords with the,

Ori Eisen:

you know, uppercase and lowercase, you have to give them

Ori Eisen:

a different path to success. And clearly the password password or

Ori Eisen:

123456 should not be what people use. So what I would recommend

Ori Eisen:

is to use a passphrase. You can get to entropy, even though it's

Ori Eisen:

less type of characters, but with more letters. So if you use

Ori Eisen:

something like my password is my name, right, just that full

Ori Eisen:

sentence, you have now made a password that may be 23 or 20

Ori Eisen:

characters, but it's only a sentence very accessible and

Ori Eisen:

does not have to have upper lower and a number.

Ori Eisen:

Unfortunately, some websites will not let you use that

Ori Eisen:

because of the propagation of forcing you with rules to pick

Ori Eisen:

passwords that will be hard to remember, which will make you

Ori Eisen:

forget them and call the service provider. So I know that's a

Ori Eisen:

vicious cycle, that if you can pick something that is simply

Ori Eisen:

long, that is pure sentence does not have to have special

Ori Eisen:

characters that is way better than an eight character

Ori Eisen:

password, that is with special characters.

Dr. Dave Chatterjee:

Yeah, I couldn't agree with you more. So

Dr. Dave Chatterjee:

having using a passphrase and changing your passwords

Dr. Dave Chatterjee:

frequently and try not to store it anywhere. Because it's a myth

Dr. Dave Chatterjee:

that if you use a password vault, people can't access

Dr. Dave Chatterjee:

access it. People can, the server administrator has access

Dr. Dave Chatterjee:

to that kind of information. So the less you put out there,

Dr. Dave Chatterjee:

either on paper or even online, the better. Keeping it very

Dr. Dave Chatterjee:

simple and keeping it jargon free. Fantastic. This was

Dr. Dave Chatterjee:

fabulous. We covered a lot of topics. Now we need to do

Dr. Dave Chatterjee:

something fun Ori, share with us that VC joke that I heard in one

Dr. Dave Chatterjee:

of your other podcasts the other day. I think our listeners would

Dr. Dave Chatterjee:

love to hear that joke.

Ori Eisen:

How about I'll do this. I'll say I prepared the

Ori Eisen:

different one for you today. I didn't even know you're gonna

Ori Eisen:

ask, so I'll tell both and then in Edit, you can decide what you

Ori Eisen:

want add. The VC joke goes like this, a man is in the hospital,

Ori Eisen:

and he needs to go through a heart transplant. And the doctor

Ori Eisen:

comes and say, Wow, you're in luck, we have three different

Ori Eisen:

candidates to give a heart and all of them match your blood

Ori Eisen:

type, so you can pick, so the patient says, Wow, tell me a

Ori Eisen:

little bit about who the donors are. Says well, one donor is the

Ori Eisen:

person who just died at the end of a race. They were an athlete,

Ori Eisen:

everything about them is great, but they just had a heart

Ori Eisen:

attack. So you can have their heart, says okay, what's the

Ori Eisen:

second candidate, said the second candidate is somebody

Ori Eisen:

who's very healthy, maintained a great lifestyle and just was hit

Ori Eisen:

in an accident, said, Wow, that sounds good. Says, what's the

Ori Eisen:

third one? Third one, is we got a VC, a person who's from the

Ori Eisen:

venture capital community and he died unexpectedly today. And the

Ori Eisen:

patient says, ahh, I want that heart for sure. And when the

Ori Eisen:

doctor says why, why do you want that heart? He says, it has

Ori Eisen:

never been used.

Dr. Dave Chatterjee:

Love it, love it, and what's the other

Dr. Dave Chatterjee:

one?

Ori Eisen:

Okay, so I'll tell you now the second joke, which I

Ori Eisen:

hope to tell today and to make it interesting and unique there

Ori Eisen:

for you and your listeners. The husband is asking his wife

Ori Eisen:

Honey, can you please remind me what did you set the bank

Ori Eisen:

password to because I can't remember it? And she says, Are

Ori Eisen:

you writing this down? He says yes I am. And she started

Ori Eisen:

reading it. Mickey, Pluto, Rapunzel, and she goes on and on

Ori Eisen:

and on., and then she says Washington, DC says oh my god,

Ori Eisen:

this password is like 64 characters. Why did you make it

Ori Eisen:

this, then the wife says, well, they said I need to use a

Ori Eisen:

capital and eight special characters.

Dr. Dave Chatterjee:

Love it, love it. Ori, it's been truly a

Dr. Dave Chatterjee:

pleasure talking to you. Thank you for educating me and my

Dr. Dave Chatterjee:

listeners and we learned so much today. We'd love to have you

Dr. Dave Chatterjee:

back again to share more of your expertise and your thoughts. Any

Dr. Dave Chatterjee:

final words to wrap up this session?

Ori Eisen:

Ask yourself, why have you not pushed your service

Ori Eisen:

providers to go passwordless? And if you're at work, ask your

Ori Eisen:

team, why are we not prioritizing it? And start the

Ori Eisen:

journey. I hope you can have some links to people who want to

Ori Eisen:

try for free to start. I hope today, I'll say send me your

Ori Eisen:

resume in a fax, you'll think that it's crazy. I hope that

Ori Eisen:

using a password will be just as crazy a few years from now.

Dr. Dave Chatterjee:

Thank you again Ori, it was a pleasure

Dr. Dave Chatterjee:

having you. A special thanks to Ori Eisen, for his time and

Dr. Dave Chatterjee:

insights. If you liked what you heard, please leave the podcast

Dr. Dave Chatterjee:

a rating and share it with your network. Also subscribe to the

Dr. Dave Chatterjee:

show, so you don't miss any new episodes. Thank you for

Dr. Dave Chatterjee:

listening, and I'll see you in the next episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an AS IS BASIS with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.