Home

Search
Close this search box.
EPISODE 97
Passwordless Authentication with James Azar

PASSWORDLESS AUTHENTICATION WITH JAMES AZAR

About this episode

In today’s episode, we discuss the emerging topic of passwordless authentication with our guest James Azar, CTO and CSO of AP4 group who are well known for their work in critical infrastructure.

Passwords have been here for decades, but with the ever-changing nature of the technology industry, passwords are becoming a little weak for our needs.

Our hosts take the time to discuss what passwordless authentication is, how it can be implemented, and why there is a move towards passwordless.

After that, they go over the issue of balancing security and user experience and making sure our customers are satisfied and provided with solutions that fix their problems without sacrificing security.

Following that, they discuss some of the challenges that are associated with utilizing passwordless authentication, including different organization policies, user acceptance, and the lack of usability it could pose.

James then goes on to highlight that passwordless authentication is only as good as the user, and it always goes back to the human factor – it only changes the sophistication of the attack.

In the end, James highlights that the biggest decisive factor on whether an organization will move to passwordless authentication is going to be cost.

What you’ll learn

  • What is passwordless authentication? And why is it relevant?
  • How is passwordless authentication implemented?
  • How to balance security and good user experience?
  • What are the challenges of using passwordless authentication?
  • What is Zero Trust?

Relevant websites for this episode

Episode Transcript

 

Kip Boyle:
Everybody, welcome to Your Cyber Path. This is a podcast that’s focused on helping you either get your first cybersecurity job or your next cybersecurity job. We just want to make sure that you have the best possible cybersecurity career that you can. I’m Kip Boyle. I’m here with Jason Dion once again, and we have a guest today. His name’s James Azar. He’s the CTO of AP4 Group, and we’re going to have a wonderful conversation about passwordless authentication. But before we do that, I want to make sure that everybody knows that we, about a month ago, released one of our newest courses. It’s called Irresistible. I just wanted to invite Jason to say a couple of words about this course. I know I’m super excited about it. Go for it, Jason.

Jason Dion:
Yeah, so Irresistible was actually something we created based on feedback from our audience and our students. One of the things we had done over the last two years was we had a mastermind group and coaching program called Hired that we were doing with a lot of students, but it was price restricted, I guess.

Kip Boyle:
It was high touch.

Jason Dion:
It was very high touch. It required a lot of one-on-one time with Kip and me. The information was awesome in it, but it precluded a lot of students that wanted to be able to access it from accessing it, because we had to charge quite a bit of money because it required a lot of one-on-one time with Kip and I. As you know, cybersecurity experts and consultants, we make quite a bit of money if we’re doing consulting. So, for every hour we’re doing with you is an hour we couldn’t do consulting. We were trying to figure out a way that we can bring the same information to you at a very price affordable way, so it wasn’t restrictive.

So, what we did was we took all the information that we learned of working with those students over the last two years, and we put it into a self-paced course that is video on demand that you can get over at Udemy. You can find that at diontraining.com/udemy to get the link there, or if you go to yourcyberpath.com/irresistible, you can also get a direct link there that’ll take you over there. The course sells anywhere, usually from $10 to $20 on sale on Udemy. So, it’s a really low cost way for you to get this information. As we go through that, we talk all about resumes, negotiations, hiring, firing, applicant tracking systems, certifications and degrees, and all that stuff. It’s about a six-hour course that really dives deep.

If you follow along with the course, you’ll be able to write your resume the way you need to. You’ll be able to find jobs the way you need to, and you’ll be able to get through this hiring process. The reason it’s called Irresistible is because we want to make you irresistible to cybersecurity hiring managers. So, if you were bummed out that you couldn’t get in hired before because we had a very limited number of students who were allowed to go through because it was a high touch program or it was too expensive before, this is something you definitely want to check out. It will really help you.

As a listener to the podcast, it really goes in depth in a lot of the things that we cover through the podcast in a very formalized way, as opposed to having to go through 100 episodes of our podcast at an hour each. You’re able to go through this course in about six hours that is very tailored, very actionable, and walks you exactly through what you need to do to write your resume, do your interviews, and do your negotiations.

Kip Boyle:
What we found over those two years when we were working one-on-one with so many people is that yeah, there’s a lot of people who are trying to break into cybersecurity, of course. We’ve got lots of information to help you, whether you’re freshly graduated or whether you’ve been working 5 or 10 years in a different career and now you want to cross over, but it’s also good for people who’ve been in the career field. Let’s say, you’ve been in for 10 years, you’ve been working in the same place, and all of a sudden, you got victimized by a layoff or you’re tired of this place or you need to go someplace else. You haven’t been doing job search for a decade and everything’s changed.

So, you need to get caught up. Otherwise, you’re going to struggle and you’re going to be this massively talented, highly experienced person who gets frustrated because you can’t land a job because you don’t understand how to be irresistible today. So, that’ll help. So, this course will help you as well. So, there you go. So, we hope you try it and we’d love to hear your feedback about it. Please tell us what you think. So, okay, thank you. I just wanted to talk about that for a moment. So, we’ve got a wonderful guest here today, James Azar. Hi, James. How are you doing?

James Azar:
Doing well.

Kip Boyle:
Thanks for being here.

James Azar:
I’m tempted to go take the class now and I may want to also be irresistible.

Jason Dion:
Don’t worry, James, we got you covered.

Kip Boyle:
If you’re a hiring manager and you want to know how to better find people in your hiring queue, you should take the course as well, right? Because that’ll help tune your sensors as to who you should be looking for. Anyway.

James Azar:
Here’s my unknown secret. I may post a job, but I typically look for recommendations.

Kip Boyle:
We talk about that in the course, that the best possible way to get a job is by having somebody put your resume into the hands of the hiring manager, somebody that they know, like, and trust. So, that’s like the best possible situation, but we are here to talk about passwordless authentication. James, please take a moment and introduce yourself so that everybody knows who you are and what you’re doing.

James Azar:
So what I do today is I’m the CTO, CSO for a company called AP4 Group. We’re in the critical infrastructure space. Utilities, power generation, water systems, nuclear power plants, you name it, marine, aviation, anything that’s considered critical infrastructure. Prior to that, I was a CISO for many, many years. Most recently a CISO at a Peter Thiel-backed startup that unfortunately didn’t make it past its series A, but nonetheless, it was one of the best experiences. I think in 13 months, we broke barriers and did a whole bunch of stuff that I thought was really, really cool.

Unfortunately, sometimes you do cool stuff and you can’t take it over the finish line. That was one of those and it was fun. But I’ve been in startup in FinTech and financial services pretty much my whole career in security. Now, I’m in the utilities. I’ve made the vertical jump, which is about as scary as starting a career in cyber.

Kip Boyle:
It’s a completely different world, isn’t it? Being over in the utilities.

James Azar:
Here’s the thing, it’s easier to defend money than it is power. I don’t think people understand that.

Kip Boyle:
I love the way you said that.

James Azar:
There’s inherent challenges simply because our critical structure is literally the epitome of old technology with new technology, with one guy who has the keys to everything literally and then how disjointed and organizationally dysfunctional the power industry really is. We all know that regulation stops security breaches. You guys got that memo, right?

Jason Dion:
Oh, yeah. You write a policy and it totally solves everything.

James Azar:
One government policy solves all of the problems. You guys all must do security. That’s it. We should never have another breach in the history of all things because government solves all of our problems.

Kip Boyle:
I don’t even know where my paychecks come from. It’s so easy.

James Azar:
So government has made it so that power companies, simply because they’re predominantly a monopoly, they’re regional players that provide electricity. The cost, the barrier to entry is very expensive, the landscape. So, the power generator is a separate company from the power transporter, which is a separate company for the power delivery, which is a separate company. They’re not allowed to interact. The regulation even dictates how and what they’re allowed to interact on. So, what we’ve done is we’ve made it so complex for these people to do business, and that’s not on them. They don’t want to be disjointed, they don’t want to be this way, but people look for government to solve problems. That’s what you get.

Kip Boyle:
Interesting. Well, we could do a whole episode just on this, of course, and maybe we should, but today, we’re here to talk about passwordless authentication. Jason, why? What’s this all about?

Jason Dion:
Yeah, so we mentioned a couple episodes ago when we talked all about multifactor authentication. We said, multifactor authentication was there to help solve the password issue. That’s actually going to go away as passwordless authentication becomes more and more prevalent. There’s already some organizations that are using it, but not everybody. So, as we all know, we’ve all been using passwords for decades and decades and decades. It’s the oldest authentication we’ve used in a computer system. You log in with your username and your password and you can get in. The problem is it’s just one factor. So, if somebody can steal your password or crack your password, they’re able to break into your systems.

So, that becomes the problem and we’ve seen estimates from Microsoft that almost 80% of the security breaches are due to weak passwords. That’s how most people are breaking in. So, we know there needs to be a better solution. The stop gap was to use these password managers with these long, complex, 20-character passwords, uppercase, lowercase, special characters, et cetera. Then we move into multifactor, which gives you now two factors such as a one-time text code plus your password, but that’s still not good enough. Really, at the end of the day, we want to be able to get rid of passwords completely, because when we do, that’s going to give us a much, much more secure system instead of having all these legacy systems that we’re still supporting.

So, that’s really what we’re focused on in this episode is what is passwordless authentication today look like and what it’s going to look like over the next two to three years, because there is huge movements in this space. In fact, last year, Google, Apple, and Microsoft all banded together as part of the FIDO Alliance and they said, “Hey, we are going to come up with a passwordless authentication that works regardless of whether you’re on Windows, Linux, or Mac, regardless of whether you’re using Edge or Chrome or Safari.

We want this to work across everybody. This isn’t a Google problem or an Apple problem or a Microsoft problem. This is an industry problem.” So that’s where we’re starting to get with passwordless authentication. So, that’s the reason we’re talking about it. If we want to define passwordless authentication, really it’s just a type of authentication that eliminates the need for a password. There’s lots of different ways you can do this.

Kip Boyle:
It’s one of these self-documenting things, right?

Jason Dion:
Yes, exactly. I mean, what’s some of the ways you’ve seen passwordless authentication, Kip and James? I guess I’ll start with Kip.

Kip Boyle:
Okay. Well, I’ll just first admit to the fact that I’m feeling like a curmudgeon because I’ve got my password game so wired and oiled that I’m actually being thrown off by passwordless. The first real significant encounter I had with it was Discord. I swear to God, I must have fumbled my authentication attempts, my passwordless authentication attempts probably like six times in a row, because it was a completely different paradigm. I didn’t know what the hell they were trying to do. I’m like, “Let me just put my password in. Would you please?” It was just mayhem on my desktop trying to figure it out.

So, my introduction to this was not good. I’m just like, “Damn it. I’ve got this all figured out. For me, you’re actually adding friction into my workflow, because I’ve got to either scan a QR code or I’ve got to retrieve an OTP out of a text message or an email, and that slows me down.” So I’m not a big fan right now. Maybe somebody will change my mind, but that’s where I’m at. What about you, James?

James Azar:
Yeah, so for me, it was probably about four years ago when I started using StreamYard. StreamYard doesn’t use passwords.

Jason Dion:
Did they do the magic link where they send you the one time login link to your email?

James Azar:
It’s one time code to your email that now most users never log out of StreamYard. Now, that’s a whole other issue. So, I’ve done that. I’ve implemented a passwordless solution in my last position as the CISO over at Glorify. We launched our application fully passwordless. So, I fought the internal battle where marketing people were like, “People want to create passwords.”

To the day we launched where customers were sending messages, going, “How come I can’t use it? I’m not going to give you my biometric data,” and we’re like, “All right, we’ve got to put some FAQs out there around what passwordless really means for people and why it’s probably a lot more secure than whatever password you come up with.” Jason, just to go back to your passwords, passwords were used back in prohibition. When you wanted to go to a bar-

Jason Dion:
Speakeasys.

James Azar:
… during prohibition and speakeasys, you had to say a password. So, if you knew the password was pineapples and you said pineapples, you’d get in.

Jason Dion:
Yeah, that’s a great point. I mean, passwords aren’t a technology thing. We’ve been using them for centuries, right? I mean, they’ve used that as knock knock, what’s the secret code to get in into the castle, right?

Kip Boyle:
Oh, who goes there?

Jason Dion:
Exactly right. It is I Jason.

James Azar:
Yeah. If you ever were in scouts and you went on a camping trip and you had to do a midnight duty, you had a password. That’s how you recognize if someone was a friend or an enemy, right? I mean, passwords have been around forever. Somehow we’ve translated it onto the internet and somehow we think that that’s the right solution for the internet and for user access, but I think we’re in a different world.

Jason Dion:
You both brought up good points on some examples of passwordless, right? Kip was talking about QR codes. So, for example, if you use WhatsApp and you want to use on your desktop, when you log into whatsapp.com and you try to log in, it says, “Well, pull out your phone, go into your WhatsApp on your phone, scan this QR code,” and that’s what logs you into the web version on your computer. So, that’s one way of doing passwordless. Another way is what James was talking about where you may be using, as you said, your marketing team of the bank was like, “We don’t want to give our biometric data.”

Well, that’s another way people do it is you can use eyeballs and fingerprints and face scans and all that. That’s another passwordless authentication. We talked about that back with multifactor. If you add that with a password, now you’ve got two factors and that’s okay, but you don’t need two factors. You can use a single factor. Some of the first passwordless authentication I saw was the old RSA key FOBs. We now use those for two factor authentication, but when they first came out, people were using that as an individual identifier. I just type in Jason and my 30-second code that changes every time. That was a rotating passwordless authentication. I had to memorize anything. I just had to have that key card. I’ve also seen applications where it’s a USB thumb drive.

On that thumb drive is a digital certificate. If you don’t plug that into your computer, you can’t access the website because it’s checking for that digital cert and that’s not a password. It’s a physical key. That’s more along what Google, Apple, and Microsoft are trying to do now by everybody’s going to be using their smartphones as their passwordless authentication. Just like we use TPM modules in our desktops, there’s embedded digital secret keys inside your phone and you’d be able to use that as your authentication mechanism in. So, if I wanted to log into the new website, I would do that.

It would say, “Great, you’re Jason. Go pick up your smart device you’ve registered with a site and use your face to scan or your fingerprint or your PIN number, whatever it is you normally do to log into your phone.” But the phone itself is the key, not the biometrics you’re using to validate the phone. That’s really the way they’re moving with this new passwordless authentication as we start moving forward. The other one I’ve seen a lot is magic links is what they call it, where I use that on my old website at one point. If you wanted to log-

Kip Boyle:
People can’t see this, but James is like, “Ohhh.”

James Azar:
No, no, no, because I think we’re talking about all these different solutions, but we’re missing the elephant in the room.

Jason Dion:
Yup. Go ahead, James.

James Azar:
The elephant in the room is user experience.

Jason Dion:
Yes.

James Azar:
Like Kip said, you’re throwing me off my game. You’re creating friction in the way I interact, and I’m used to interact with technology. So, when you think of passwordless authentication, you’ve brought up a bunch of methods, but let’s be very honest. Kip, you’re a CISO. Jason, you’ve been in leadership positions. You know this. What’s one of the first things we do on all corporate laptops? Disable [inaudible].

Jason Dion:
We should. If you haven’t, you definitely should.

James Azar:
If you haven’t, you should. If you’re doing it, then by default, your security keys in USB devices become moot, because that board is essentially there for decoration at this point. It has zero value outside of maybe potentially powering a USB mouse, like a wireless mouse through Bluetooth. That’s it. That’s all it’s going to do. So, the RSA keys, as wonderful as they are, I remember when I was in banking, we used to give our customers for international wire transfers. They used to walk around with RSA keys. Every person who opened the bank account who wanted to do international wire transfers had a bank key. That’s the code we authenticated that you were the person doing wire transfer.

Well, that’s great, but you know how many times customers call to say, “Well, I’m in Belgium and I forgot my USB, but I need to make this wire transfer. I got to pay a bill. I got to get a deal closed”? So we, security people, and I mean we, all of us on this call included, I think everyone listening, everyone watching, everyone, we’ve all been guilty of prioritizing security over really thinking through a good customer experience and a good user experience that doesn’t create shadow solutions.

Kip Boyle:
Yeah, working around controls.

James Azar:
Because that’s what people are the best at. You’re going to make me do a QR code every time, WhatsApp? I don’t want to do that. Let me find a workaround.

Kip Boyle:
Yeah. That’s the shadow IT, right? That’s false sense of security for people like us, because we think we have the most secure system in the world. We designed it ourselves. We have no idea that everybody’s working around our secure system and getting things done on other systems that would curl our hair if we knew what was really going on out there and we’ve done it to ourselves.

Jason Dion:
Well, there’s two parts of that as well that I see. So, WhatsApp is a great example with the QR code. I want to be able to use WhatsApp on my desktop, but honestly, I don’t want to have to pull up my phone every time I want to log in. So, if I were to pull up my phone, I’m just going to use my phone to talk on WhatsApp and I’m not going to use the web console. So, I’ve used other things like Slack or Discord or Facebook Messenger, instead of WhatsApp, because I can’t get it on my desktop in an easy to use manner. Alternatively, we talked about magic links, which we used to use for our site, and it was a very secure solution to use a magic link.

The problem is I just offloaded the security from my own system to somebody else’s, because, Kip, if you sign up for my site with kip@gmail.com and I use that and I send you the link to your Gmail, well, that’s fine. But if you have a crappy password on Gmail or somebody hacks your Gmail account, they now have access to my site too. So, you’re now trusting that email as a secure source. We all know email’s not that secure because they’re relying on using passwords just like we were, right?

James Azar:
Especially most personal emails don’t have MFA.

Jason Dion:
Exactly, right? So, we talk about that stuff. It’s like, “Yeah, magic link’s great as long as the email’s secure. But if the email’s not secure, then the magic link’s no longer secure either.” I see a lot of people with, you mentioned earlier, Kip, the MFA, two factor by the code goes to your email. Again, that’s really the weakest link right now. If you don’t protect your personal email or your corporate email, then all these two-factor authentications that are sending things through a Google Voice text number or an email number for authentication are all no longer multifactor because they’re still just protected by user and password.

James Azar:
So, when you think of MFA, and I know you guys did an episode on MFA, right? Well, I don’t want to talk about hacking MFA. I just want to say how you implement MFA matters just as much as what kind of MFA you choose. In case you’re a T-Mobile customer and you’ve been part of the 727 breaches they’ve had in the last five, right?

Jason Dion:
I actually am. So, you’re talking to me.

James Azar:
So, SIM swapping attacks have been a catalyst. That’s what they hack T-Mobile for, for SIM swapping accounts. So, I know your email because we know how threat actors operate. It’s not a guy in the basement wearing a hoodie. It’s an organization where people walk into an office. I’m wearing Eastern Europe or Asia or even in the United States and Latin America. To go into the office, they’ve got a team that’s saying, “We’ve got all these usernames, all these passwords. We validated that these work. Now, go get whatever MFA they’re using.”

They’re using T-Mobile. Great. Let’s try to do a SIM swap attack on T-Mobile. Now we’ve got access. Now we’ve got persistence. Now we’re moving laterally in your network. The rest is a headline on my podcast are yours with the story of don’t be these guys. So, the idea that one factor or two factor or three factors, it’s about implementation. When you talk about passwordless authentication, implementation is key, right?

Kip Boyle:
So, tell us some more about that, James, because I don’t have any experience implementing passwordless. You do. I would love to hear more from you about what exactly in the implementation is so crucial to get correct.

James Azar:
So, there’s a lot of passwordless new age identity solutions for this stuff. They call them buzzwords that should raise everyone’s ears red as zero trust or no passwords needed and whatnot. Well, that’s all great. Some of them are just a passwordless solution that ties into your active directory. So, whatever active directory you’re using and some companies have their own internal active directory and they’re just integrating a passwordless solution to replace the password field. Well, if you’ve got inherent challenges with how you manage user data, then that implementation predominantly done through APIs is just going to be a colossal failure, because you’re really not defending tokens.

At the end of the day, no matter what you’re using in passwordless, all that’s being generated is an identity token that’s being used across all the different platforms that you’re using it to access. So, in a business setting, if you’re doing it for employees and let’s say you’re doing it on a single sign-on type of solution and I won’t drop names for the sake of we don’t want to seem like we’re endorsing anyone, you go through a single sign-on process. Well, that token now is essentially the signature to get you into every single application. So, bad implementation. I can get that token and take it out. So, for us, when we were shopping, looking, and architecting our passwordless solution, we knew we weren’t going to build an internal active directory.

We knew we were going outside to an active directory. Now, at the time, this was 2021. So, at the time, no one had an active directory with passwordless. So, you had to go find an active directory partner, then you had to go out and build an integration to passwordless. Today, we’re in May of 2023. That’s a very, very different one. Those have all come together. Now, the implementation is critical when it comes to user availability. So, at Glorify at the time, we opted to use device-based authentication. So, we knew that 95% of our users were all coming from mobile. We said, “We’re going to just require everyone to download our app and set up their account through our mobile app. You weren’t going to be able to open an account on our web app.” So take in the WhatsApp QR code type of example.

We just weren’t going to allow it at the very beginning. The reason for it was because technology wasn’t there yet. Technology wasn’t there and the cost to get it to work on a laptop and then back to mobile was more inconvenient than convenient for the user. We cared a lot about user testing. So, we cared a lot about user feedback. So, as we were implementing this in every step of the way, we actually did A/B user testing and not internal. We actually went external. We brought in a control group of our target customers. We sat them down. We put the test app on their phones, and we had them go through it. We watched and we commented and we went through that.

To the credit of the Glorify leadership team at the time, I mean, we’re bankrupt now. They don’t exist anymore. But some would argue that you guys doing this testing could have led to that. I would bet to defer. I think it’s why we had unbelievable success in the short time we were alive, but nonetheless, we did user testing and users reacted well to it. Now implementing it and taking it from a perspective of how do you get it across multiple platforms and then how do you get it across all your different backend solution providers that are trying to pull the identity of a customer to present the information that customer needs to see, that’s challenge number two.

So, you’ve got the active directory to passwordless challenge, which today is predominantly solved, because almost every single vendor in this space realizes they’ve got to have an active directory solution. Our second challenge was, all right, I’ve got seven different vendors that support my banking operations and every single one gives me a different piece of data that come together provides a dashboard for my customer.

ACH is a different provider from your account balance, which is very different from the list of all your transactions. All of those are very different. They come from different sources. So, I’ve got to authenticate you and some of those systems, Kip and Jason, are so old. They’re like, “Well, we use SAML 2.0 and your technology is OIDC.” So now you’re literally trying to build bridges to compliment all tech to the new tech.

Jason Dion:
Yeah. You basically had to create all the middleware to be able to do the transitions.

James Azar:
Correct. That’s what we did. We had to create a bunch of middleware and then we had to pen test it. We had to run it through extensive testing, regression testing, load balance testing, because you got to make sure it can handle traffic. What happens when 100,000 people want to go in and do X simultaneously for whatever reason?

Jason Dion:
Well, I think the other problem, you guys chose to use the mobile phone as the device. I hear-

James Azar:
We did.

Jason Dion:
… that’s exactly what Google and Apple and Microsoft are leaning towards is this is the answer to everything. It will let you log into everything. Well, the one challenge, you talked about knowing your users, is I came from the government space and I worked in a lot of places that these are not allowed in the building. I had to leave this in the car. Back in 2020, 2021, when we all decided to start shifting to Microsoft Teams in the government and to authenticate and log into Teams the first time, you had to get a one-time code and it was only good for five minutes. So, I remember being in the basics of my SKIF, trying to log in on my unclassified machine to be able to do Teams.

I would have to run up the stairs, up the elevator, three flights, get my phone from the locker, get outside, get to a place where I can get signal, get the code, and then run back down there. So, I can authenticate myself. I had to do that five times until I made it in that 100-yard dash in that five minutes, because the way that the system was done. With passwordless authentication going to using a digital cert that’s only on this phone, I would have to have the phone in the room with the computer and that doesn’t work for everybody.

Because if you’re in a power plant and you’re in the basement of a power plant, you may not have cell phone signal, you may not have Wi-Fi. If you work in a government top secret facility, you’re not allowed to have these in there. So, all of those become challenges that we then have to say, “Well, we’re still going to support passwords for those folks, or we’re going to have this other physical key that gets us a satellite.”

James Azar:
You’re going to have the RSA key.

Jason Dion:
In some places, it won’t work if you’re in a basement, right? Because it’s not getting the signal with the GPS satellite to make sure it’s on time and all those things. So, these are all implementations that you’re right for your users, 90% of our users are mobile. Great. If you’re only going to support mobile users, well, you just told the other 10%, “We don’t watch your business,” or you can find a way.

James Azar:
Just to be very clear, what we ended up doing was we launched with the mobile app solution only. Within two weeks after we launched, we had the web app ready to go and our web app was very simple. It was the WhatsApp solution. Jason, you went in, you put in your email address, you got a QR code, you had to scan it on your phone. It took you to our mobile app, which then authenticated, kicked off the token to the web app, and said, “This is Jason trying to log in.” Now we leverage device-based biometrics, and this goes to your Apple, Amazon, Microsoft, Android type of conversation. You had to have some level of security on your device for this store. If you had an iPhone and you didn’t use anything to log in, you couldn’t open an account.

That was another challenge we had with user adoption. Some people had old devices where they had a four-digit passcode. If you used an old iPhone 6 or 7, those didn’t have the six-digit, they had the four-digit one. Then there was the confusion, the confusion around biometrics. Apple doesn’t even know your biometric data as far as we know. I say that as far as we know, because Apple claims that they don’t store any of the biometric data anywhere in their environment. It’s stored directly on your phone.

When you wipe your phone, the biometric data is wiped as well. There’s some truths to that, because every time I’ve gone to DEFCON or BlackHat and we’ve tried to take advantage of that and we’ve wiped phones clean and then tried to redo the biometrics, you’ve always had to redo your biometrics. As of right now, I haven’t seen anyone break that method or prove Apple wrong. So, when you’re leveraging those biometrics, there’s an education with the average consumer or average employee, by the way. I go, “Well, I don’t want to give you my fingerprint. I don’t want to give you my facial ID.” You’re not. We’re just leveraging that tech in your phone.

Jason Dion:
It’s hard to know.

James Azar:
People don’t know the difference.

Kip Boyle:
Yeah, it’s hard to know. It’s hard to know. Well, what about YubiKeys or Titan Security Keys or something like that? FIDO Alliance, actual thing that you can either plug in or if you’ve done the disabled USB port maneuver that James recommended, maybe a nearfield communication or something like that. What did you find with those keys? James, did you consider letting people use those?

James Azar:
No, and I’ll tell you why. One, because I always blocked USB ports. Number two, I wanted no nearfield technology. When we did a threat assessment around nearfield technology in a distributed workforce or even in customers when you’re talking about access to your bank, think of how many people sit at Starbucks. Kip and Jason, next time we’re in person, let’s go sit at a Starbucks together. Let’s see how many people access their bank account, leave it open, and go grab a muffin and come back.

Kip Boyle:
Yup, most expensive muffin they’ve ever bought.

Jason Dion:
The other thing, Kip, you had mentioned the YubiKeys and the hardware tokens by using the USB thumb drive. The other challenge with that is the cost associated with it, right?

Kip Boyle:
Sure.

Jason Dion:
Everybody already has a phone pretty much. But if I have to issue one of those smart keys to every customer, that’s $1, $2, $3 per thing. That starts adding up, right?

Kip Boyle:
Everybody needs to because you need a backup. Because what if you lose your primary?

Jason Dion:
So for instance, you and I have a company together, Kip. We both need a key. So, that’s two customers, even though we’re one account. So, we just double James’s cost. If we’re not allowing USBs, then that becomes a problem as well. So, there’s a lot of problems with those USB keys. The biggest one is distribution, which is why they’ve gone to these software solutions. Nowadays, you can do e-SIMs. As soon as I get overseas, I turn on my phone and I can import an e-SIM and I now have local phone service because I don’t have to go and get that physical chip anymore. Same thing with the USB drives. So, that’s why I think a lot of people have moved away from those type of form factors and they’re moving more towards the phone being the solution for everything.

Kip Boyle:
What do you think, James?

James Azar:
So agreed. I agree with what Jason said. I’ll add one thing to it. We talked about the customer. Let’s talk internal. Your CEO’s on a trip. He forgot his FOB. He can’t access anything. So, now you’re the CISO, you’re getting the phone call, because helpdesk isn’t getting that call, right? You are.

Kip Boyle:
Or they handed it off to you immediately.

Jason Dion:
I put that director at 3:00 in the morning getting those calls when the guy’s back in America and I’m sitting in Europe and I’m like, “Yeah, I’m sleeping, buddy.”

James Azar:
Our CEO is now in Germany or London in business and you’re in Atlanta or Florida or Chicago going, “Well, we’ll overnight him something.” Now what do you think the first order of business is once he gets back? I want to have a meeting with James. All right, James, come on in. How is this good? How is this going to support our employees? Because now this cost us a ton of money, because I had to go issue his account a new one or disable. Meaning reduce the security on the CEO’s account to allow him to log in without that while he’s overseas in an completely uncontrolled environment. You don’t control the network. You don’t control anything. Only thing you control is that endpoint at that device.

So, that’s why identity matters so much. Now, you’ve put all your guards down on what is the number one target of your organization in a foreign land, right? That’s why most solutions are… Unfortunately, they’re such a unique use case. They go to Jason’s use case. You work for the government, you’re in a SKIF. We’re going to give you all the USB. The USB probably doesn’t even leave the SKIF. It stays in the SKIF probably in your locker at the SKIF. It never leaves the facility. So, it never has any risk of leaking out. You walk in, plug it in, identifies who you are, and you go about your day. But in the average day-to-day distributed workforce, distributed customer base, they’re just not a viable solution. I don’t see a future form.

Kip Boyle:
By the way, we dropped a couple pieces of jargon on you in case you didn’t know. James said FOB, and he said SKIF. Now FOB is just a jargon for a little dongle that you hold in your hands like a secure ID or something like that or one of these YubiKeys or Titan keys or whatever. You just call those FOBs. Then a SKIF is like a vault that you work in, right, Jason?

Jason Dion:
So a SKIF is a Sensitive Compartmental Information Facility. So, if you work for the government and you are in some type of a top secret environment, for instance, I used to work at the agency at the NSA up in Maryland. The entire building is a SKIF for the most part. When you go in, there’s control points, there is guards. They make sure there’s no cell phones, no beepers, no nothing, no WiFi is enabled, all that stuff. Anything that comes in or out of the building is subject to search and all that stuff, because essentially, it’s a big vault. There is wireless [inaudible] that can’t go in, wireless [inaudible] can’t go out. So, again, the big problem I see with passwordless in the future, I think for the average consumer, passwordless is going to be the thing that everyone’s going to use and we’re going to start seeing that.

When you got to log into Facebook, it’s going to just ping you on your phone and you’re going to say, “Yes, I approve.” Everything’s going to be controlled by your phone except for those use cases that can’t do that. That’s a little thing that actually scares me a little bit, especially for our government workers and our top secret cleared people who are working in these type of SKIF facilities or you’re overseas and you forgot your phone, right? Because you’re not going to bring it when you go on a trip to Beijing.

James Azar:
China.

Jason Dion:
That’s right. Great example, right?

James Azar:
It’s in your burner.

Jason Dion:
Exactly, because you know that that phone is going to be tampered with, right?

James Azar:
Motorola Razr.

Jason Dion:
Exactly. The old nine-button known smartphone at all, right? When you deal with this stuff, you’re either not going to be able to access it because you don’t have your phone with you or your phone now becomes more valuable for people to steal. This was a big problem 10 years ago. Everyone was stealing smartphones because you could resell them on eBay. Well, now people are going to be stealing smartphones because they can get into your bank accounts. They can get into your brokerage accounts. They can get into all your social medias and then calling your friends and all that. If this is now the key to open every single website that is in my life, this now becomes extremely valuable and you have to really protect it.

That’s one of the things that you have to think about as far as we start thinking about these implications of using passwordless. Just like we said before at the magic links, magic links seem great. I’m not storing any passwords as a service provider. I’m just sending it to your email. But if your email’s insecure, well, then you can get into my site. The same thing’s going to end up happening with these phones being the key to everything. Because if there’s a hardware key inside this phone that unlocks everything, then you need this hardware key and you’re going to steal it.

James Azar:
But now we’re going to go a step further. Let’s give people a little bit of insight because I don’t want to it to be doom and gloom. Our listeners are people who want a career in security. They want to be able to solve these problems. So, this gets to the next level of what passwordless really means. What’s the most annoying thing that’s ever happened? All of us are old school here. So, if you remember, you’d have a 15 or 20-character password. You’re trying to work on X, you hit a screen, and it’s making you reauthenticate to do action A. Now, all of a sudden, you’ve got to re-enter your password. You’ve got to multifactor again, very irritating, very annoying. Agree?

Jason Dion:
Yeah, it happens to me all the time when I’m going into my credit card processor to refund a student or something like that.

James Azar:
So now with passwordless though, that becomes seamless. With passwordless though, that becomes really, really… I don’t want to say seamless, but it becomes turn onto your phone, make sure you’re that person. Now, with modern technology, what you’re talking about on your phone, for example, what we did, we didn’t just have passwordless, device-based biometrics. We had user behavior analytics backing that up. We had device IMI versions. We were able to set policies that says if the phone’s jailbroken, it can get access. We had policies that said that if the phone goes up or down in version, reauthenticate the user twice. One of the things we were implementing before, unfortunately before we went out of business, was the photo ID aspect of it.

So, we want you to authenticate, take a selfie with your thumb up, and then we would scan that selfie. You opened an account in Jacksonville, Florida, but now the selfie and image in the background and the colors is at night. Well, it’s 2:00 PM in Jacksonville. You should be in sunlight. This is coming off in a dark room. That doesn’t make any sense. We’re going to go ahead and pause that account and ask for more validation and verification of the user. So, you start to create these use cases over time that really help enhance passwordless, right? Those are going to be really, really critical to this adoption and to what you’re talking about, where your phone becomes your priority.

Because if your phone gets stolen and now, I’m not going to say what hand I am, but let’s say I’m right-handed, let’s just say for the sake of this example, I’m right or left-handed. It doesn’t matter, and that’s how I hold my phone. User behavior analytics realizes that. They’re able to crack my phone, but you’re using the other hand. So, user behavior analytics should automatically trigger an alert to reauthenticate.

Kip Boyle:
Well, now you’re starting to talk about zero trust, I think, right? Aren’t we starting to veer into zero trust territory?

James Azar:
I hate that word so much.

Kip Boyle:
Hey, don’t hate the word, hate the game.

James Azar:
I know. I hate the word. I love the game as zero trust. I love the game as zero trust. I hate the marketing around it.

Kip Boyle:
Yup. Well, yeah. I’m not going to let the marketers ruin my ride though. I mean, I get you. I’m sick of how marketers are always taking the latest buzzword and then claiming that their product has it or is it. Yesterday, it didn’t and it wasn’t and it’s no different today.

Jason Dion:
Well, you’re seeing that in real time right now with AI and ChatGPT. Every software program I use and every web app now says, “Now integrate with ChatGPT.” I look, I’m like, “All you did was an API call. It didn’t make your product better, but now you have ChatGPT, right?” So now they can say, “Yes, we’re AI,” right? There’s a lot of that that goes on in the zero trust world.

Kip Boyle:
I totally get that, but that’s why I steer people towards either the NIST publication on what zero trust actually is or there’s actually a good book out there that’s very vendor-agnostic. So, I don’t really care what the vendors are saying right now. But James, my only point is that just the way you described the authentication experience, it reminded me of this idea of I’m not going to trust. I’m only going to trust you if you can really prove that you are who you say you are. If you’re in a place that you’re not normally at or you’re presenting yourself in a way you don’t normally present, then I’m going to ask for more stuff.

James Azar:
I’m going to give you the caveat to all of this. Are you ready?

Kip Boyle:
Yeah.

James Azar:
I’m about to kill passwordless in a second.

Jason Dion:
Uh-oh.

James Azar:
Here’s the caveat. If you, for example, have a twin, your twin can unlock your phone and use it, no questions asked, because you’re identical, right? Additionally, if you get rid of your face ID, someone gets their hands onto your phone, they put their face ID, Apple, Amazon, Microsoft, Google are none the wiser to realize that the person changed. So, relying on the device-based biometrics only is only as good as how good the user is, which is no different than requiring someone to make a 14-character password and they just put 12345678987654321. That’s their password. I think that’s the caveat in passwordless. That’s where there’s always that human factor that Jason talked about very early on, 80% of breaches are human-related password.

The only difference between password and passwordless is the sophistication of the attack. Meaning credentials no longer matter. But if you leave your authentication API unsecured, unmonitored, and I’m able to go in and steal those tokens on those API calls, that’s no different than stealing your password. If you don’t think that’s coming, quote me here today, May 2023, at some point in the next 12 to 18 months, someone’s going to have their entire API gateway cracked wide open with all of these tokens there. This isn’t as simple as pushing out a master password reset through your vendor.

Kip Boyle:
But you really learned all the ins and outs of this through that experience. That’s fantastic.

James Azar:
We were the first financial institution in the country to do this. We were the second in the world to do it. There was another financial institution in the UK that did it before us, and I was able to speak to their team. We did a lot of homework. I had a lot of smart people working with me. I was not this smart when this started. A lot of smart people bring this to our attention and help and work through a lot of these problems. When you’re looking at solutions, you got a threat model. You got to understand, “What are the risks and how do you mitigate some of those risks and can you mitigate the risk?”

Jason Dion:
When I think about passwordless, I don’t think it is the end all be all 100% going to solve every world problem we have, but I will tell you that as I’ve looked into it and done a technical deep dive, it is better than what we currently have with password. So, we’re eliminating one of the major sources of breaches, but there are a lot of things that we have to think about, right? In general, passwordless is more secure.

It is a more convenient thing and it does give a better user experience, but there’s also a lot of challenges that we have to think about, such as, “What if I’m in a place where I can’t have my phone? What if I can’t have that key? What if the device gets stolen? How do I get all those websites to realize that this is no longer the phone and now my new Android is instead of this iPhone?” All those are things that we’re going to have to figure out as a community as we start working through passwordless, but the reason we wanted to bring this topic to our audience and bring James on was because we know this is coming. This is the direction the industry is heading. So, you got to get smart on it because in 2023, you’re going to see more and more of it.

By 2024, it’s going to be pretty widespread. By 2025, it should be in theory replacing passwords is what they’re saying. Now, every time I say future things like that, I always hold my fingers because I remember back in 1995, 1996, IPV6 was coming and no one was ever going to use IPV4 again. Here we are in 2023, and I still teach IPV4 on a daily basis to students because it is still the primary thing we’re using. So, yes, people think passwordless is going to take over. I think there’s going to be a lot of holdouts and there’s still going to be a lot of passwords out there. But the more we can use it, the better it’s going to be for us security wise. James?

James Azar:
So let’s give your audience the real issue why you’re probably right on the prediction that it’s probably not going to happen in 2025.

Kip Boyle:
Go for it.

James Azar:
Cost.

Kip Boyle:
Cost for who?

James Azar:
Cost for a company to transition from password to passwordless. That’s talking about changing your entire active directory. You’re talking updating your policies, you’re talking about implementing new tech. In an interconnected world that we live in today where you’re on multi-cloud environments with SaaS providers all over your environment, that’s not an easy feature. We were able to do it because we were greenfield. New startups and new companies should absolutely do this.

Kip Boyle:
But isn’t there business case to be made that you’re going to get rid of all the password reset support costs?

James Azar:
Nope. You’re keeping those same people to do biometric reset. I got a nose job and now my phone doesn’t recognize me. You think I’m kidding? In 45 days, I’ve seen and heard it all.

Kip Boyle:
Oh, wow.

Jason Dion:
Kip, I think the other thing is most password resets aren’t done by humans anymore anyway. Almost all of them have been completely automated and shift left.

Kip Boyle:
That’s a good point.

Jason Dion:
There’s no cost to that, but there’re also other problems.

James Azar:
There is. I’m sending the email through whoever, right? There’s-

Jason Dion:
Tens per million on Amazon.

James Azar:
Whatever that cost is. That’s not the issue though. I think there’s bigger challenges there, Kip, that on passwordless are going to require more support. There’s consumer education and someone’s going to have to go out and do it. At Glorify, I remember I had to do a video once a week that went on all of our social media about why passwordless was better and what it meant. We don’t store your biometrics. We’re only leveraging your phone-based authentication. So, you can use a passcode. If you don’t want your biometrics, you can have it default to your passcode.

Kip Boyle:
Man, the thing that you said today that’s going to stick with me for the longest, I don’t know why, is when you said early in the episode that the marketing people claimed that your customers love to create passwords. That was the money quote from this episode.

James Azar:
But the thing about it is our marketing team were very smart people. This went back and forth, by the way, up until about two weeks before we launched. I remember we were sitting at our founder’s back porch in Dallas, Texas, and it was an all exec meeting. The product manager and the marketing people came in ready to go, “We don’t want to go with passwordless. There’s too many caveats.” I stood on my back to feet and I had our founders backing at the time and almost everyone else going like, “Passwordless is the way to go.”

Jason Dion:
Well, I think the big key is what James said there right before we went into that, right? It’s that if you’re a new company and you’re building something, for instance, I am currently working on three projects at the same time, one for Dion Training and two for other new companies I’ve started. We are building those serverless, cloud first, function as a service, passwordless, all that stuff, because we are new and we can do it. But if I was looking at CompTIA or PeopleCert, which are big, huge certification companies with decades of experience, it’s going to take them longer to do that, because they have to retrofit all their old stuff and make it all work.

I know CompTIA last year went to a single sign-on, so they had one password instead of 17 passwords across their systems. That was a huge migration for them. It took them months and months and lots of money to do it. Now to try to ask them to move to passwordless this year, it’s probably not going to happen, right? They’re going to be like, “Eh, we’ll wait three or four years, get some value out of this SSO before we go passwordless.”

So I see a lot of bigger companies that are going to drag their feet. So, I don’t think 2025, we’re all going to be switched over, but I think the younger startups like Glorify was a young startup of a bank that was trying to break the mold. Mercury is another example of a young startup of a bank that breaks the mold versus Bank of America that’s been around since the ’50s. So, as we see that, you’re going to see a lot of that change. So, as we summarize this episode and bring us to a conclusion here-

Kip Boyle:
I’m getting twitchy because we’re coming up on an hour and I don’t know how many people have dropped already, but this has been a fantastic conversation, James. Thank you so much for being here.

James Azar:
Hope no one dropped. If you did, we’ll find you, we’ll punch you, and we’ll make you listen to the very end.

Kip Boyle:
We’ll take away all your passwords.

Jason Dion:
So for those of you who are listening, I want to thank you again for sticking with us to the end, and I want to thank James Azar from the CyberHub Podcast for joining us today to talk all about passwordless authentication from somebody who has done this implementation on the ground in a bank startup, which is a very highly regulated industry. So, there’s a lot of hoops he had to jump through to really dive into this. If you want to hear more from James, you can always listen to his podcast over at the CyberHub Podcast, which is cyberhubpodcast.com. We’ll have a link in the show notes for you for that as well as to James’ LinkedIn if you want to connect with him there. This was episode 97 here on Your Cyber Path Podcast.

As always, you can go to yourcyberpath.com/97 to get all the episode notes and all the links that we mentioned in the episode. So, definitely check that out. When you’re at yourcyberpath.com, you can also sign up for the mentor notes, which you’ll get every other week from Kip, which gives you great information on the labor market, what things are changing, what things are happening in tech, and things we don’t talk about in the podcast, but it comes out every two weeks to be very relevant, very right on the fact of what’s happening right then. So, definitely sign up for that over at yourcyberpath.com. Other than that, thank you again for listening and we’ll see you next time.

Kip Boyle:
Bye, everybody.

James Azar:
Bye, everyone. Thanks for having me on, Jason and Kip.

Headshot of Kip BoyleYOUR HOST:

    Kip Boyle
      Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

    Jason Dion
      Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.

Wait,

before you go…

Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!