Adopting Zero Trust
Adopting Zero Trust
Adopting Zero Trust: The Illusion of Passwordless

Adopting Zero Trust: The Illusion of Passwordless

Season two, episode 14: The illusion of going passwordless with Derek Hanson, Vice President Solutions Architecture and Alliances at Yubico + Yubikey giveaway.

Catch this episode on YouTubeAppleSpotifyAmazon, or GoogleYou can read the show notes here.

True or False: The concept of passwordless is new. False.

This is shocking, we know.

Considering the amount of hype around the concept, it certainly can feel like a new concept since the masses are becoming more familiar with it; however, the message is a bit jumbled.

For ages, we’ve used things like biometrics (fingerprints or iris scans) and even a PIN to access money on a debit card, but more recently, there has been an increase in misrepresentations about how secure passwordless technology is, simply because there is not a password involved. As cybersecurity practitioners, we know that the simple removal of passwords alone won’t prevent a successful phishing attack, which means multifactor authentication needs to play a role in getting us closer to the Zero Trust concept.

Fortunately, we have a guest this week who is well-equipped to help us navigate the ins and outs of passwordless concepts, passkeys, and the split between identification and authentication. Derek Hanson is the Vice President of Solutions Architecture and Alliances at Yubico, who has spent the last 8 years contributing to the shaping of a physical piece of hardware, Yubikeys, designed to improve authentication. Prior to that, he worked at Costco, focusing on identification and IAM. But first, let’s improve your personal security stack…

Giveaway - Yubikeys!

If you already have a Yubikey, you already know there is always an opportunity for one more in your stack. If you’re new to Yubico’s offering, this is the perfect time for you to grab your very own YubiKey 5C NFC and gain phishing-resistant MFA. It even works with most password managers, too.

To enter, we’ve given you a bunch of options on how you can increase your odds of winning one of two keys. You must be based in the US, though.

Enter the giveaway here.

Enter Giveaway

If you do enter, ignore the Facebook option (sorry, this is cheap and easy), and you only need to do one of the tasks. Each additional task just increases your odds, with a podcast review being worth 3 entries.

We’ll close the giveaway in about two weeks and announce it in our next episode.

Editors Note

This week we have a special ask of you, beyond the giveaway, that we’d love some support on. SXSW’s Panel Picker is officially open for voting, and we put together an amazing panel. If you can take a moment to share our panel and give us an upvote, we’ll be closer to being selected for next year’s conference. You can vote for us here.

We are bringing together an all-star cast based on previous guests and plan to discuss how organizations can look at cybersecurity programs as differentiations rather than your typical cost center. Considering the audience typically at SXSW (think entrepreneurs and startups), we feel this is a valuable message to convey so that security practices are not treated as an afterthought.

The panel will consist of:

  • Neal Dennis, Podcast Host, AZT

  • Ilona Cohen, Chief Legal and Policy Officer, HackerOne

  • Phil Vachon, Head of Information Security Architecture, CTO Office, Bloomberg

  • Chase Cunningham, Vice President of Security Market Research, G2

We’ll absolutely record this session, too.

And now, back to your regularly scheduled show notes.

Key Takeaways

  • Hardware security tokens, such as YubiKeys, offer a higher level of security than digital credentials because the credential doesn't leave the device.

  • Quick, strong, and easy-to-use multifactor authentication is necessary for implementing a Zero Trust security model that doesn't rely on just being on the network as a valid signal.

  • FIDO2 is a passwordless multifactor authentication protocol that is designed to prevent phishing and make signing in securely easier for users.

The Difference Between Identification and Authentication

Today’s episode title is a bit misleading, but it’s a good stabilizer. Is the concept of passwordless authentication more secure? No. Is there, in fact, a lack of a password? Kind of sort of, but that gets into semantics and is entirely dependent on the mechanism. At the end of the day, you still have a concept of a secret or something that you are in place of a standard password.

With this in mind, the hyped concept of passwordless access and authentication is an illusion. It creates a false safety net unless deployed appropriately. Similar to the concept of Zero Trust, it’s mostly just a lot of misconceptions creating confusion. But, when you peel away enough layers and find benefits such as phishing-resistant MFA, you’re heading closer to reality.

Here’s Derek discussing the split:

“So I think the challenge here is unpacking what people think passwordless means. And when we start talking about what is a passwordless authentication experience, we're all accustomed to different types of passwordless experiences every day. One of the ones I use a lot of time to discuss the model with people is your debit card.

Anytime you use a debit card, you go in, you present a device, you use your PIN, now you're able to access your account and get your money out. The point in that is that you've possessed something, and then there was a secret you had that unlocked that something. So you've really achieved, at that point in time, passwordless multifactor authentication to your account.

You know, there's a secret on your credit or your debit card that was used. Well, passwordless to be of value is really gotta combine multifactor authentication. Into it. And so we've had passwordless authentication schemes on the web for a very long time. That doesn't mean they were secure, that doesn't mean they were phishing resistant.

And so, when we talk about passwordless at Yubico, we're talking about one of two things. We are talking about FIDO 2 authentication, or we are talking about certificate-based authentication, where the certificate or the FIDO 2 credential live on that YubiKey. and it's key to talk through the fact that that credential is an electronic set of data that lives on the key that is unlocked by a pin or a biometric, depending on which key you're using to then authenticate to the system,” said Hanson.

Benefits of Hardware Security Tokens

Hardware security tokens, such as YubiKeys, offer several advantages over digital credentials. One key advantage is that the credential stored on the token does not leave the device, making it difficult for threat actors to steal. Additionally, physical tokens are always with the user and are evident if they have been tampered with, making them a more secure option.

Hardware tokens also offer additional security benefits. For example, they can be used as a second factor in multi-factor authentication (MFA), which is critical in a Zero Trust environment. MFA requires users to provide two or more forms of identification before being granted access to a system, making it much more difficult for attackers to gain unauthorized access. Hardware tokens can also be used as the sole authentication factor, making it much more difficult for attackers to steal passwords or use other tactics to gain unauthorized access.

Importance of Easy-to-Use Authentication

In a Zero Trust environment, it is critical to have good, easy-to-use, quick, and secure multifactor authentication to ensure that users are who they claim to be. This can be challenging because users need to authenticate more frequently, but the authentication process should have minimal impact on the user experience. To achieve this, it is essential to pair a good authentication protocol with a good user experience and add authentication checkpoints where users need to authenticate. The hardware can attest to its properties of how it's protected the keys, moving the security bar forward as well as the usability bar.

One way to improve the user experience is to use hardware tokens that offer a simple and intuitive interface. For example, YubiKeys are designed to be easy to use and can be used with a variety of devices, including computers, smartphones, and tablets. They also offer a range of authentication protocols, such as FIDO2, which is an open authentication standard that enables passwordless authentication.

The Future of Authentication

The conversation also touched on the future of authentication, specifically the move toward passwordless environments and biometric authentication. While biometric authentication has its advantages, such as ease of use, it also has its drawbacks, such as being vulnerable to spoofing attacks. Passwordless environments that rely on hardware security tokens are a more secure option and are becoming more prevalent in the industry.

Hardware tokens can also be used to provide secure authentication for remote workers, who may not have access to the same secure networks as on-site employees. This is particularly important in today's remote working environment, where many organizations are struggling to maintain the same level of security as they did when all employees were on-site.


This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello everyone and welcome back to another episode of AZT or Adopting Zero Trust. I am Elliot, your producer, alongside your actual host, Neal Dennis. a wonderful guest which comes from a company which I know absolutely all of our listeners are gonna be familiar with and frankly will be able to speak to a myriad of topics that just are more than aligned with Zero Trust.

But in general, Modern cybersecurity principles and concepts. That being said I am going to hand this off actually real quick to Neal to give a little bit of to Pass Key, maybe what his perspective is, and then we're gonna hand this off to our guest for a proper introduction.

Neal: Yeah, sounds like fun. I, I'll be very upfront. I love them. I, I, I hate 'em when I lose it, obviously. But I've always been a fan of hard-coded Stuff like that to carry around with you and lose. But the fun thing with YubiKey and things like that, you know, aside from the wonderful MFA esque approach to life with the key that it supports in digital M F A versus physical m f a, I mean, I, I like being able to plug and play and get to going.

There's a reason why password managers are so successful on the digital side of the house, and there's a reason why YubiKey is so successful and all the variations therein. I, I think they make a wonderful statement on your key chain, especially when you've got eight of 'em all lined up. And then but yeah, I, I'm a huge fan of this. I think they make the world a lot less complicated in the past world, world when you have them applied the right way. And I think they are a great stop gap to a lot of the starter package of security concerns that we have out there. And for the listeners in general who may not realize what this actually is, it's a literal device that you take around with you and plug in, you know, get your little one time m f a type thing to log into it, if you will.

Whatever you wanna say. authenticate, and then you're good to go for the most part to certain things. Remove the key. You're done. It's like military CACs for those of us out there who've ever used those very similar concept except smaller, easier, and nobody asks to see it when you go through a gate, so,

Elliot: Perfect. All right. So, I think Neal incidentally, or sort of spoiled who we're gonna be discussing these topics with but to make sure that we don't kind of gloss over that. Derek, maybe you can give us a little bit of introduction to yourself. We are currently at. And then I've gotta also, of course, bug you 'cause you've got some pretty cool companies on your your, your history there too.

Derek Hanson: Oh, well, thank you. Yeah, so my name's Derek Hanson. I, I work with Yubico. I've been here for a little over eight years now. It's been a, it's been a phenomenal journey getting to work on building. I. Not just how the YubiKey works as a product, but where the YubiKey works in the ecosystem. Making sure that, you know, passwordless multifactor authentication is just like built into all these applications so that the utility of of it, the YubiKey itself becomes increased.

Because I think what you just said, Neal, a key part of that is like, Hey, can I just sign in? Can I take a physical device that I have control on that sits there that lets me just access my applications? So, I work at UCO specifically around the standards, how the Fido policy protocols get built our alliances, how we work with partners to make sure that these open standards we've just built actually end up in product that we can use day in and day out.

And it's really focused on sharing the word about like, Hey, how does this stuff work? What should you be doing with it? What should you ignore? What's important? You know? 'cause all of this stuff creates its own hype cycle, you know? And you wanna make sure that you're actually giving people real usable information.

And so that's kind of, that's kind of that role there. And I think that's what brings us here together today to talk.

Elliot: Love it. Yeah. So that, that is exactly the, the focal point that we'll probably go into again. If you're a listener to our show, you know, we'll start somewhere. We'll end off on, you know, an entirely different planet. But before we kinda go too far into the world of pass keys and some of the pretty advanced stuff that y'all have been at the forefront of you know, I'd love to maybe hear a little bit about your journey and, you know, what brought you there.

You've got a pretty long, you know, time over at know, UBI o, which, you know, in our space that many years, it's it means something to be at a company that long. Obviously there's a lot of value in, you know, what they're putting together. And obviously you've got a lot of faith in what they're doing, but. Maybe even before we get to that piece you know, obviously you cut your teeth in it world. You have some significant background in solution architecture, but you've also done some identity work as well for a rather large organization. I don't know if we're name dropping, but I'll, I'll edit that out if not but over at Costco, at least for a year. Until you, you know, ended up and really that trajectory over to where you're at now. But I'd just love some visibility into like what that pathway looks like to get to where you are today.

Derek Hanson: Yeah, so I can be long-winded, but lemme keep the story to like a reasonable amount of time here. So I . I grew up in a small logging town in Washington, and the reason I bring that up is it also happens to be the area where bill Gates had a summer home and so we grew up in kind of the shadow of where he had a summer home out in the Hood Canal in Washington.

Beautiful place. And, but it was always like . You know, it felt like you were in the shadow of Microsoft as a young kid, really wanting to learn technology. And so I got this experience where I was able to work at our you know, the local school district and I had run, I'd run . 30 odd miles of Cat five by the time I had my driver's license, you know, and was involved in just really this great opportunity to learn the technology.

And so that started at a very young age where this ena being enamored, seeing like Bill Gates at Burgermaster in town evolved into pursuing computers. And it was really just this fa this passion around how they work, how to get in. And for whatever reason I was in identity from almost the ground

From almost day one. It got involved in a, a NetWare migration over to Active Directory. And these are when it first came out, it was actually should have been Windows Advanced Server at that time. So, it's, it is crazy how long this journey has been. But to that end where you're talking about identity and architecture, I actually did some work in a security space.

And somebody joined the practice that we were at and I got involved very heavily focused on identity, worked with companies like pinging identity and deploying their federation services for their customers. Worked with companies like I B M and some of the work they did in the automotive space.

I'll leave all the customer names out 'cause that's, that's that's their world. But really the, the journey of it was getting a chance to see some of the largest companies in the world. To deal with some of the very complex situations on actually signing in you know, and, and trying to figure out how to make that easy.

So, part of that work ended up where I landed at Costco for a couple years, about 18 months, and left as their kind of their enterprise architect before to come join. UBI o as a young startup and really work on a very specific technology focus. But it's always been about how do we know who people are?

How do we make it easy for them to sign in? How do we make it secure? And these were the foundations of the M F A projects I had done for the years at the point before joining UBI O, but it was focused around . everything. I didn't realize I was gonna be working for the next eight years. This was b as zero trust was just a concept and starting to be talked about in small rooms.

It was as m f A was these things that we were doing to people, not things actually protecting ourselves. So, you know, there is, it's been an incredible journey. But it's all been identity focused. It's all been around. How do we make sure we give users the right way to sign into the systems they need to at the right time.

Elliot: That's incredibly impressive, especially since like, you know, you accidentally found a narrow piece of that cybersecurity world kind of from day one and it's led you to where you are today. So, I feel like Neal won't shun me for kind of calling this piece out, but of all the companies that sort of align or can slap zero trust on their product, Obviously you all are definitely on that top of the list where, you know, I'm fine saying, yeah.

It's, it's not like a V P N. You also just clearly allow for that concept to sing. True. So I think that is where I'm going to actually hand this off to Neal, where we can have that conversation where, are you all you've been there, you've seen like how standard systems allowed for access and identity, but you were. Part of the pioneer group to now have to navigate as the perimeter just doesn't exist anymore. Everything is blurred lines and all that good stuff. But yeah, this is where I gonna hand you off to Neal. You get to have that conversation and dig into that rabbit hole of how this stuff all functions in the zero trust world.

Derek Hanson: Yeah, let's do it.

Neal: Yeah, back over to me, so I think, well, we can kick it off a little light there. So, you know, let, let's maybe talk about a little bit about the, just the importance of, physical versus digital device, because I, I think that's obviously plays a huge role in why UBI o even exists, is that variation I and to highlight once again, in the go space. CACs you know, we had our certificates loaded up onto a, a card, right? Our id we also, a lot of us carried around R S A tokens, physical tokens, before you could do them on your phone and well, can't do 'em on your phone in a skiff anyway, so it doesn't really matter. But regardless, you know, physical devices, were always kind of at the forefront of, that security.

So then the person becomes the true ultimate failure point, not a compromised device, which depending on where you're at, Hopefully is a little easier to secure sometimes. But that's

trust so we can hopefully move beyond both of those paradigms. So anyway, I think that's a good starter package.

Why a physical device versus a digital footprint? In that sense, if you

Derek Hanson: Yeah. Well, I think when, when you start looking at how you authenticate, there's a million different ways that we could go around authenticating users. Everything from . Passwords to push to O T P. You mentioned the, the hardware security tokens. That, that's kind of where I got my start in the first M F A, you know, rollouts was how do we send, you know, SMSs out to people for M F a or how do we actually do these other actual security tokens that.

Work when SS m s doesn't work. You know, the first deployment I did happened to be right on the border of US and Canada, and depending where you were, you jump between at and t and Rogers network constantly. So, yeah, s m s wasn't really reliable and so we had hardware, tokens as a good option for people.

So when, when you look at what hardware's value is, it's a couple of, couple of clear points. One is that credential that goes onto that device doesn't leave that device. You know, it's on there. It doesn't get extracted. And manufacturers and the technology vendors put a ton of effort into making sure that you can't steal the, the, the keys and the credentials of the secret information out of that device.

You know, U Bica, we use a industry leading secure element. And that element, you know, we. We focus very heav heavily on all the security controls around it so that the secrets can't be leaked. That's a very long conversation around, you know, side channel analysis and all these other things. But the point of it is, is that there should be nothing that you can do with a hardware token.

To extract a secret from it that isn't incredibly obvious to the user, oh, you beat me up and stole my token. Oh, you've melted this thing down, so you could use an electron mag scope. Whatever those things are, it should be obvious to the user that . , something's wrong here. And so I think that's one of the major advantages of a physical device is it's always with you, it you, it's very evident if it's been tampered with.

And you can bring it wherever you need to go. What the challenge on the flip side, what you were calling that digital side, if it's in software, I don't know where it's been. I don't know where it's been copied to. I don't know if somebody took a copy of it because they got into my account. I do not have any sort of provenance information around that software credential because it could live anywhere.

And so it's really hard to establish trust something that's not trustworthy in, in these high assurance scenarios.

Neal: Yeah, I think there's. I, I personally agree with all that. Otherwise I wouldn't be using one, but That being said, I think there's a couple of key things in there for the listeners to unpack a little bit. One, we talk about the providence, we talk about access to the device and, and what that looks like. So, you know, I think that's why it took me a while to get rid of my R ss a token in particular. 'cause, you know, you didn't have to just use it in a government system. I I had apps that I could use it for other stuff, which was very wonderful. The only downside is I can't plug it in like a UV key itself.

So there's a hindrance there, but long and short, to your point, I could take it with me. I have apps or had apps on my system that didn't require internet to enable, but they did require some kind of m f a response, right? so having an offline option Like you also mentioned network latency, things like that.

Or even the network itself is untrustworthy. Right. You know, there's a lot of things that like for my YubiKey, I use it as much as Elliot loves VPNs. When I do travel abroad, you know, I have a V P N service, a couple that I use, and before I even log into the actual internet itself, I can authenticate to the app on my laptop with my UB key.

Whereas in other cases you'd have to actually log in, then enable, and then go, and there's all that handshake stuff that goes on before. Right. So, For me, that's a big piece of the puzzle is having the option to be offline still get things spun up, and then go online, especially with other security protocols and things like that. And then the other piece to your point, we had a wonderful discussion with a gentleman who owns a cell phone service provider cell phone service company who about, you know, cell phone takeovers and things like that. of the people who use M F A have something loaded up on here through pick a flavor of auth, right. And The fun thing about that is, like you mentioned already, I get access to the phone. I at least have one step closer to getting access to the rest of your M F A, depending on how they're established. your re-up for passwords is set up through your phone for a pin, congratulations. Easy peasy right there.

I'm done. If it's set up through email, I could probably eventually get there as well. You know, it's just layers and layers that are easy, but if I take your UB key and I find out it's missing from my key chain, that's it. I change it. I deauth it, and I'm done. It's as simple as that. I don't have to worry about the other 500 things.

I just get a new one re-auth and I'm good to go usually. So for me, those are the big pieces of that puzzle. So that's pretty good stuff. Curiosity questions around how you start to see this play into more of, of the more enterprise authentication methodologies. Right. So there's a lot of people out there that are reliant. On more traditional digital footprints for M F A, but if we think about the IT spectrum of the house, how important is it to remove that digital footprint and apply a physical piece for you in your mind? So that way the IT side in particular, gets a little closer to that more zero trust or more, more secure environment that a digital footprint would of, in the long run kind of mitigate a little more.

Derek Hanson: Well, I mean, if you're thinking about zero trust and, and let's just unpack what that is for a, for a moment here. It really means that I'm not, as a system, I'm not trusting some other systems authentication session. I didn't get on the network and just magically have access to everything. It is, I've authenticated the user at the time that they showed up to know that this is who they claim to be.

we're not trusting other, just being on the network as a valid signal. And so what that means is you need to have good, easy to use, quick, strong, multifactor authentication. And I emphasize the quick, because the benefits of not using zero trust and just relying on the gooey core of a network to just allow access to anything is that I don't have to authenticate my users very often.

And so if we're going to change user practice to where we authenticate you as you cross a new boundary and we make those boundaries smaller and smaller, we need to make sure it has minimal impact on their use case. And that's the entire scenario around Fido two. Fido two is a passwordless multifactor authentication protocol that was designed as the smart card capability that you mentioned in the piv, which is how they sign it electronically.

It's designed to take that capability and stick it into web scale and web format. How do we sign in securely prevent phishing in a scenario where the user doesn't have to be responsible to know exactly what's going on, but the system takes care of it, and it's got good, strong credentials that then actually meet the bar for multifactor authentication.

I bring that all together, is if a user is going to sign into your system, they need something easy, fast, secure, . And to sign in so that they're not hitting user experience hurdles in trying to access their applications. So the, the key parts in my mind here are getting a good authentication protocol paired with a good user experience added to each of those checkpoints where users now need to authenticate.

We can no longer afford to have bad user experiences because you only hit it one time. . No, you're gonna hit it lots. It needs to be fast and it needs to be quick. So I, I think that's kind of in, in the vein of where you were trying to head with that question. I think for all of us, the, the benefit of strong, easy to use authentication is that we don't get saddled with a bad experience when we're, we're trying to sign in.

But we can also rely on the hardware. Because the hardware can attest to its properties of how it's protected the keys, and so we'll move the security bar forward as well as the usability bar, and that's a pretty rare experience in my, in my time.

Neal: Yeah, no, I think that's great. I think it's a good explanation. So thank you. I feel like one of the other things that we're, we're gonna get here a little bit sooner. later. But is when we talk about passwordless environments, I do wanna go down the, the the ladder here with the, the, what are they call 'em?

The, the biometric fingerprinting that they're doing. Right. The user identity based off of how you touch the keyboard. Also other junk, not not just plain biometrics, but the user interactions. Before we get there though, one of the things that, that I like about devices, and we saw this play out when I was in the government side of the house. You know, if someone does compromise a system and they're actively either A, replaying your session or B, actively engaged on your box, in your session, in your solution, whatever it may be, nine times outta 10, the moment I take that card out, that session's done. in a lot of cases back in the day. I know that's come a long way with, with other services like this now. So for those listening, I think that's one of the big things. Even if you're not secure all the way to the end user and someone still gets in, a lot of times that session's only as live and, and Waiting to be real authenticated in this, you know, x, y, Z timeframe to that physical device. Every x minutes, hours, whatever it is, and the moment it's gone, you, when you plug it back in, you have to, it's real authenticating.

It's asking you for your pen, it's asking you for all the other things that it needs to get going again. So the original session is either pause or completely cut, depending on how you stage things. So I think for people listening that that's a big piece of why physical devices to me play a real large, important role. even if you're Use, use pretty words. Even if you're compromised then you know, there's the chance that you unintentionally cut that session when you get up to go to the bathroom so long as you remember to take your device with you. And I, I, for me, that's a big piece. Right? And so, on that note one of my curiosity questions for YubiKey that I've never dove down is, let's say if we set up software through Enterprise and all this other stuff with y'all, can I maintain A timeframe in the backend that requires it to recheck or at least authenticate that the device is still physically there? Or is that something not quite there? How does that work? I guess? I mean, so the scenario being, once again, I'm sending up my box. Someone does get onto the box, but yet, you know, I either remove the device or be a, you know, trying to re-authenticate to that device every X and if I'm just kind of jabbering to Elliot and the, the threat actor doesn't do that, you know, 'cause they can't. that, is that a plausible scenario of security?

Derek Hanson: It. Yes, it is a plausible scenario. Now, how well integrated it is is, is kind of a difficult part of the question because that's going to the identity provider on that. Piece has to be able to do reauth and it has to interrupt what you're doing every so often to force a reauth. Now the re authentication, yeah, if you're YubiKeys present it'll, it'll ask very quick pin, touch the device make sure that you are intending to authenticate.

one of the things I think that often gets overlooked in some of the examination of Fido. Is the touching of the device or in what it's called in the standard is user intent does the human intend to, that is in possession of this device, intend to authenticate and so it requires a gesture from the human.

Some of the UV keys, it's a touch. Other times it's unlocking the device. It's a biometric. There's other things that are that qualify under user intent. And I call that out as to your scenario of, Hey, the session has been compromised. The bro, the, you know, the device has been compromised. User intent means that the device requires a person to be there to actually authenticate.

Does it prevent other issues? Like if your device has been compromised, it's game over. You're completely, you're just done. If your session's been hijacked, Well, if that identity provider is actually closing out the old session and reissuing a new on reauth, then you are preventing that session from living on.

But if all they're doing is authing and giving you access back to your old session, you're kind of in, you really haven't solved the problem. You've just put a hurdle in front of the user. So I actually think one of the major challenges in it is not the re-auth. 'cause the re-auth can occur very easily.

It's actually web application session management. And that is, that is its own nightmare of a problem to discuss. So, yeah, I, I, I think these are the right questions. One of the things that used to be a big topic was token binding. It was a, it was a feature that was physically tying your web session to the authentication hardware.

It's not supported in the browsers anymore. There's a lot of, there's a lot of challenges, but people have been asking that question for a long time because what you're talking about is kind of the holy grail. If I just unplug my authenticator and my sessions die, that is what we're looking for, that nobody can not just re presume to be who I am because they authenticated as me, but they can't use my sessions any longer.

We got a, we a bit of work to do to get the web ready for that, but that is what we're pursuing. Because session hijack is if we get rid of phishing, that's the next place people will focus.

Neal: Yeah. Well, we've definitely got a long way for that first one though, don't we?

Derek Hanson: Yes, we do.

Neal: No, that's good. Awesome. I appreciate that. So, When we think about the to, so once again for everybody, this, this, you know, we're not trying to say that a physical, at least, I'm not trying to say that a physical device is the end all be all.

There's no one single solution, I think is what we've hopefully all garnered from this podcast over the last year and a half. That, you know, it takes a lot of different approaches to make zero trust or any security strategy work the right way and applicable. I just hadn't be a very big fan of the physical devices and that, that being said, so I think this is a good Broach into the other piece where we start talking about Passwordless environment in general.

Derek Hanson: Mm-hmm.

Neal: know, the, the keys are great. I like 'em. You know, I plug off and I'm done in a roundabout way for the day you know, it's good. Life is good. I don't get harassed as much as I used to, by the systems and I, I live a happy little quick life.

Like you mentioned, ease of use combined with With actual high level security. when we start thinking about the future passwordless security and environment with, with the biometric E type stuff and the fingerprinting of a user and what they look like on a keyboard or a session in general, do you see the UB key and, and physical process devices like that, being able to mesh with that?

I know there's synergistics behind all that, hopefully, and, and being able to still fully enable legit 100% passwordless, you're done. Log into your bank simply by, you know, typing out a phrase, whatever it needs to be, or just doing your day-to-day stuff and with YubiKey in the background, doing its fun stuff too.

Derek Hanson: So I think the challenge here is unpacking what people think passwordless means. . And so, you know, when we start talking about what is a passwordless authentication experience we've, we're all accustomed to different types of passwordless experiences every day. One of the ones I use a lot of time to discuss the model with people is your debit card.

Anytime you use a debit card, you go in, you present a device, you use your pen, now you're able to access your account and get your money out. The point in that is that you've possessed something and then there was a secret you had that unlocked that something. So you've really achieved at that point in time, passwordless multifactor authentication to your account.

You know, there's a secret on your credit or your debit card that was used. Well, passwordless to be of value is really gotta combine multifactor authentication. Into it. And so we've had passwordless authentication schemes on the web for a very long time. That doesn't mean they were secure, that doesn't mean they were phishing resistant.

And so, when we talk about passwordless at U Bica, we're talking about one of two things. We are talking about Fido two authentication, or we are talking about certificate based authentication, where the certificate or the FI oh two credential live on that YubiKey. and it's key to talk through the fact that that credential is an electronic set of data that lives on the key that is unlocked by a pin or a biometric depending on which key you're using to then authenticate to the system.

You mentioned earlier kind of like wanting to get into some of the, the other biometric things that are out there, like user behavior analytics. These are all great. Risk elements for defining is the user, actually the person that we think is supposed to be using this device. So I don't have to re-auth them.

They're not authentication methods. They are risk analytics methods for possibly identifying the person. And I think we need to be clear that there is a difference between identification and authentication. Is this really Neal? Or is this the account that Neal has control over? And those are two very different questions.

And many times authentication does not require identification. And I wanna make sure that we don't blur those two as we're talking about it. 'cause when people are talking about behavior, they're really identifying, is this the same person that we've seen before? And that's, that's identifying, that's not authenticating.

That risk or that, sorry, that biometric is a probabilistic match, that this is probably that person. And to what level of probability are you willing to trust? It depends on the system. But why be? Why trust something that's probably Neal. When you can trust something, that's definitely the account owner.

And so I think that's kind of how I look at that. What do you think?

Neal: No, I think that's great. That that's honestly, that, that's the first, I think, succinct perspective on the two different sides of the house. 'cause there is, there is a group of people thank you for reminding me of the word, by the way, user analytic behavior stuff, behavior analytics. Say, I can't even say it in English.

I speak Spanish too much. I'm flip words around. That being said know, U B A is is Being tossed about a lot by some entities as, as an authentication not, not a not the other way around. So, you know, when we see about the promises of a passwordless world, whether it's at R s A or Gartner, or pick a flavor that day, I think you have two approaches.

You have people who live the authentication world like, like you're in right now, then you have people who are doing identification with U B A, but they're treating it like authentication as a You know, some kind of potential panacea for the end user to never ever have to type in anything other than what they want to type in ever again, or use any other devices as a way that a lot of some preach it. So your distinctions, I think, are very valid and a very appropriate line in the sand for how that should be treated. And so back on the other side of this, being able to use multiple echelons, multiple layers of approach, right, to get that closer to zero trust or to even more aptly, you know, Bring the, the fidelity level of what you're doing with who you're doing it with and what devices, you know, all that stuff. higher with both pieces of it coming together. So thank you for the distinctions. Like I said, you're literally the first person that I've asked this question about that didn't treat it as part of the authentication piece, but so much as the identification side of the house. So that, that's cool.


Derek Hanson: Oh, thanks. I and I, I think this comes down to just looking at the problems for a very long time and realizing that . Anytime there's a new trend or anytime there's a new thing, everyone wants to be included in that hot new thing and be a part of it. And the reality is we all have very different and complimentary roles to play.

And what gets dangerous is when everything becomes that nail for the hammer to hit. And so, we. We have very good technology that needs to be in part of the portfolio. If you're building a system for users to sign in these are things, whether it's U b a, like you mentioned, or it's, it's VCs and credentials that sit in wallets on, on the d i D side of things, there's a whole nother front we could go down.

Everyone wants to be part of the authentication stack. The problem is when you look at the broader account information, when you're trying to deal with identity at the account level, it's not just the authentication of it. It's how did that account get registered? It's how does that account get recovered?

Is that user the same person? And you start looking at a life cycle, that's when these other things start falling down as to what do I wanna rely on? For authentication. What prevents phishing? What helps me recover the users in a phishing resistant and self-service way that's simple and easy to use? And how do I actually get to a place where my system stands on its own without having to man a fleet of people across the globe so that they can come in and do account recovery?

These are hard challenges and so we need to make sure all these components work together for identification, authentication. Authorization and all the other a's that are a part of identity. So I could soapbox on this for way too long, but we, I'll pause

Neal: You've got, yeah, you got 18. . Plus minutes, buddy. I ain't got nowhere to be at of call for at least 15 minutes.

Derek Hanson: Oh, that's dangerous. You shouldn't gimme an open mic like that.

Neal: right. That's, this is, this is your platform to to share and, and have fun. I listened to one of the other podcasts a little bit earlier this morning from last year or maybe the year before. It's before you moved into this role when you were still doing service delivery type stuff.

is I'm getting some of my curiosities from, by the way, straight from you anyways.

Derek Hanson: Oh.

Neal: being said, no, that, that's good stuff. So, back on track, you know, when we think about the layer that the physical tokens provide, we think about the rollup of this. I'm gonna kind of bring us back into the it specific world. So the CAT five polars and the server guys and gals. You know, I, I focused on that because I, I think where we're at from an exploitation level globally, like what's being targeted? Yes. Phishing mouse spam, the end user is still definitely very much targeted, with the way we look at certain exploit packages, you know, there's been a larger uptick in server based type things over the last couple years. Whether because of new vulnerabilities or just because of focal points, because of bang for your buck with ransomware and all this other fun stuff. So, you know, for me anyways, and I'm, if you. question will be, if you feel similar to this, at least focusing on staging things and getting in the right direction with, with a passwordless environment. I think from a scale of economics, at least initially, your bigger bang for your buck is with the IT people to get started today, especially in larger enterprises. where. You know, where you've gotta validate the package, you've gotta validate whatever updates and things like that are. But they need to come from that trusted resource, not just the physical persona, but the digital persona as well involved. you know, there's a lot of things that manage both of those aspects already, but when we move towards passwordless environments and giving that IT person or the patch management team a little ease of use for authentication, do you feel like from a starter package that that might be A good place to really focus if you've gotta pick as opposed to the whole thing. You think that there's a little bit more impact there, or do you think focusing on end users is more impactful? First, like actual just, you know, whoever's sitting at the computer looking at YouTube all day, I.

Derek Hanson: I think I would change the perspective slightly on the question. Instead of it being which user group, I would look at it as an organization I. And what I would say is elevating up to the organization level, you've got really three major buckets me, four major buckets that you could talk about in any enterprise.

You've got your end users. Everyone talks about the, you know, the end user multifactor authentication, because especially in the active directory world, if I got a presence, if I owned your session in active directory and anybody else is logged into that box and I'm able to exploit LSAs and get a credential, now I can privilege escalate and move laterally, and it became this game of moving through the organization.

So any foothold was a dangerous foothold. In a cloud managed environment, it's slightly different because we're not relying as much on things like kros that have these really symmetric key assumptions built into the protocol. So end users are important. I think they're one leg of a strategy.

I think another leg of the strategy is exactly what you talked about, which is privileged accounts. How do we make sure. , the people that have access to the keys, to the kingdom are doing things simply and securely. As well. We can't impede their progress. We can't do that. But the, the other third leg in there is actually service accounts.

And application accounts and all the rest of these things, because if we're gonna truly go passwordless, we now end up with, well, what about all these accounts that run on behalf of somebody or do this other application, batch and process? So I think all of these . , those three require a very specific strategy.

And that fourth bucket was possibly, you know, as a business, you exist to serve your customers. So where are your external identities, whether it's customers or vendors, or suppliers that have access into your environments and whether those are applications or networks. And so you end up needing to have strategies for all of them.

The only reason I kind of wanted to flip the question is I don't think you can actually afford in this world to go either or. I think you have to have incremental steps and strategy across all of them. In parallel, if you've got the same password being reused on multiple service accounts, you're gonna get popped.

If you haven't pre rolled out M F A for your admins, you are gonna get popped and it's gonna hurt if you haven't done anything beyond a password for your users. Not only are you going to get popped, you're probably gonna get popped lots of times, and then they're going to find a myriad of different ways to live in your environment for a long period of time.

Because the issue of end users is, did they get persistent access on that device? After popping the user, what else happened? And so I . , I don't think you're posing the wrong question of like, which one of these do I prioritize? But I, I am coming back and saying, I think it, it's worse than just A or B. I think it's all of them.

And how do you make an incremental improvement towards password? Reducing the risk of the passwords we have for a long time and like managed accounts. And how do I actually go after protecting the accounts that have the keys to the kingdom? While using what we have to go out and pro and protect the end users, it's hard because to choose one to prioritize, one is to neglect the others.

And I think all of them represent risk in a significant fashion to an organization.

Neal: No, that makes sense. Like I said, good perspectives. So I think it's important to know that From, from the vantage points, you know, where obviously those risk pro profile profiles sit, right? So as an Intel you know, one of my jobs is to create those threat risk matrixes, yay. of numbers and some things in an x y coordinate thing.

Derek Hanson: Mm-hmm.

Neal: know, to that point where you're making, know, I, I, I do agree that if you were to do the risk matrix analysis in general, you would see both of them probably in various reasons, up to the top right. And so, To that end point. If, if you, you know, if you need to focus, you should obviously focus on solving the large scale problem across the board and not try to leave too many chinks where you can.


Derek Hanson: Yep.

Neal: so on that note, and I just completely backtracked my brain on where I was gonna go with the next question, but, that's okay. So we'll get there. So I had a, in a roundabout way, what, what's one of the key things here that you would like to share that we haven't discussed? I'll just throw out that question real quick while my brain catches back up.

Derek Hanson: Yeah. So I think, you know, as you were talking through what I, you know, and processing what I just said, I think there are places to prioritize. And so back to your point, your domain admins, protect your cloud admin accounts. Start there because the risk . The blast radius for those counts being compromised significantly higher than if an end user gets popped and their in, in machine is owned, or their E M L account is owned.

Yes, they all represent different risks. But let's, let's get the catastrophic ones off the table first. So start there. The other thing I would say is you know, . Look at the external accounts that have access to your system. When I was at Costco, we had 200,000 employees that had access in the directory.

We had 400,000 vendor identities. And so when you're dealing with supply chain, third party access to your environments, you cannot remove the . Or I ignore that risk because a lot of times that is scarier than your actual employee access because they may be doing contracted things that have more risk than many of your employees actually represent.

So, you know, the people that manage your money machines pretty high risk, you know, very attractive accounts. They're not your employees, it's a contractor. So it really is about understanding who has access to what, and making sure you have a strategy for all of 'em.

Neal: Yeah, I think we could do a whole series on supply chain risk management, not just zero trust, but

Derek Hanson: Oh yeah.

Neal: lot of other fun things there. But I think on that note though, I think that's a very valid point. And I used to work at the retail ISAC as as the Intel director there for a small spell probab, I don't know when you were at Costco, but was at retail when it was still sy when it first got started. So I know if it was around when you were at Costco. But that being said, supply chain risk, it's a thing for any company. It doesn't matter if you're retail, financial, whatever, everybody's gotta get tools from somewhere. Digital, physical, so on and so forth. And

know, there's an anecdote now in the news about Cisco getting in trouble in China, but what does that mean for us here in the States? You know, is that same software still lingering or was it just an add-on? Stuff like that. So when we think about External sources, that, that does kind of scare me a little bit for, you know, what piece of, what device, what software, whatever it is that you loaded up and who actually has ask access to it that you're not aware of. And that's a whole nother ball of wax to go down. Thinking on this a little bit more, if we go down the supply chain just a smidge have you seen enterprises that have. Necessarily gone out and, and procured UB keys and things like that, or, or made that part of their requirements and things like that, that security protocol these third party entities, have you seen successful utilization of, of contract vehicles to, to drive their vendors into a more either zero trust and or password list, secure environment type mentality?

Derek Hanson: We're, we've been in conversations with a lot of people that have started to create the capabilities. Mandate is a different kind of bar. And so, a lot of the places where I saw a lot of early traction with Fido was in business to business banking. If you're gonna have access to this, we wanna be able to enforce Fido authentication.

And what it came down to, it is this mindset of we need to be able to enforce that it's Fido. We just don't wanna own the operating complexity for managing token hardware fleet for our vendors. . And that's actually the beauty of, of Fido in this case is you're starting to see in more and more of the vendor management products support for Fido authentication.

And so as a enterprise, if I have vendors and suppliers that sign in, I can start to work into my contract vehicles. You will bring a Fido authenticator to access our services so that we can reduce the risk of phishing here. And without necessarily some of the older models of, now I need to go buy tokens for everyone that accesses my organization.

It just never was gonna fit in a CISO's budget. But being able to say, thou shalt go buy a Fido Authenticator is something where it distributes the cost and management out to your vendors and suppliers where, okay, now I've gotta buy five YubiKey for these five users signing in. That's something as a supplier I can manage.

Versus as the core enterprise, I don't want to go buy hundreds of thousands of keys to put out to, or suppliers who may change. Because the business model, you know, our partnership and relationships change there. I think the biggest challenge there is actually contractual, not technical. It's making sure that these long-term contracts say, no, you need to eat this cost of, of signing into our system.

And they're small costs, but it's, it's all the things that add up into a part of the business relationship. . But with the right imperatives, it will move forward.

Neal: Nice. Yeah. It's something that I think I'm dealing with on this side of the fence from my nine to five. In a good way. In a good way.

Derek Hanson: Mm-hmm.

Neal: I know we've got a few minutes left. I wanna give you a chance to at least ask one question towards the end here. So,

Elliot: Yeah, so usually this is about the time where I try to, dunno, throw out, no. Necessarily stump stumping question but one that probably would open up to a rabbit hole. Instead, I would love to a little bit about talk smack, maybe about a particular platform which is just continuously making every decision under the sun.

Neal: Microsoft. Oh, sorry.

Elliot: wh which one?

Neal: I said Microsoft,

Elliot: No, come

way worse than that. So, I will hone this in, into to this conversation in particular. So obviously two f a multifactor in particular, comes in a lot of different flavors and we already addressed that. S m s based, not not the best choice, but it is a choice.

And if, you know, we have one choice and that's it, fine. Cool. But I'd love your perspective on Outside of maybe it being a cost savings for a certain company that has a bluebird for a logo that made the pivot to only allow that free option, you know, what do you feel like the risk outcome might be out of a situation like this? obviously again, is still multifactor available, but you know, if you're gonna completely lob off an arm that was a little bit more secure in nature. Actually no, I, I, I think I might have that backwards. was less secure on the s m s side. But they were reducing the availability because the user experience, that's probably the better way to position that.

I have that backwards. So what is your perspective on that? Maybe like if we're looking at it from like a risk reduction perspective, do we feel that the amount of people.

got cut off from SS m s maybe went to an authenticator app or something like that, or, yeah, I would just love your perspective.

Derek Hanson: As somebody who's managed m f a deployments, the way that that went out would've never, would've never been a, a strategy or a plan that I would've gone with. However, I. I am actually very pleased to see that it went out the way it did. The faster that we get rid of S M S O T P, the better it is a, it's not even a picket fence of security.

It is really this . It's this false sense of that I've done something and that it's, it, it continues to be okay. You talk about SIM jk and you talk about all these other places where SS M S O T P is what stands between people and their accounts. It's, it's dangerous. And then if you're talking about, I'm operating the infrastructure that is sending out this S M S O T P codes, like why?

Spend the mon just shut it off and spend that money and develop something. With support for 5 0 2 and web auth in your users will actually be secure. You'll save money in the long run and you'll have improved the user experience. The worst user experience out there is one of the banks that I deal with where I have to provide my password twice.

Because when I sign in the first time, it uses my username and password, then it sends me an O T P code. I have to bring over that O T P code and type my password in again to sign back into this bank. Like why, what am I doing? I've cost a ton of money. 'cause every one of those SMSs you're paying for and that's the legitimate ones.

And then you're dealing, you know, and we haven't actually improved security. So, you know, if you've got my password in the first place, getting sim jacking my phone, . It's probably not all that hard. Getting it transferred is probably not all that complicated. So I mean, the, the problem that we have here is it looked like a bad idea because of how it was rolled out.

It was a great result for security in the long run, which is, let's rip out this stuff that is giving us a false sense of security. and honestly, the only people that win in the S M S O T P game are the telco providers that are charging you to send that s m s code Every single time I trigger, if I'm doing a password spray attack and I'm just slamming your directory with all these username and passwords there goes 3 cents.

And how hard is it to hit you with a hundred thousand requests in an hour? Well, that starts to add up to real money outta your IT budget for what?

Elliot: I love it. You just see. There we go. I, I teed something up. We did not . Have to go down a rabbit hole and you knocked it out of the park. That, that's what I was going for. Totally meant that. Now you for putting that into the proper perspective. I think it was you know, that was generally what we saw from like the community in the cybersecurity world, that they just need to rip off that bandaid for s s in general, but Maybe communication was lacking in that situation. There is a better way to position I guess was probably on their end, but yeah I, think it knocked that outta the park. That's definitely something we need to probably remove that safety blanket which is just actually a bunch of holes and mostly racks in yard at this point.

Derek Hanson: Yeah, I appreciate that. 'cause I think at the end of the day, We need to do some things that are a little bit more radical to make some improvements here quickly. I believe when, you know, you look at pass keys and some of the stuff that's coming out, there's gonna be more and more options out there. But the longer that we hold onto these tattered rigs, I like that phrasing of SS M S O T P as a security blanket.

The, the worst that our end users are going to be. I'm just hopeful that we can figure out a way to make it easy for the users to adopt a better security solution, not just rip it out of their hands and wait and see what happens. So,

Elliot: I agree. Unfortunately, I will say you almost opened up that that can of worms. I would love almost an endless series focus on user experience as it relates to cybersecurity, because that is probably like the biggest pain point that ever everyone ignores you know, startup organization that has a new vendor product like, you know, end users are rarely concerned anyways without trying to bring us down there and keeping this going much further than it needs to. Derek, thank you so much for joining us and sharing your perspective and your insight and your expertise. We really appreciate you being here and you know, poking a little bit at Neo, which I always love to see.

Derek Hanson: Hey, I, this has been a great experience, Elliot Neal, thank you very much for having me on. And, you know, maybe we will go down that rabbit hole of user experience and security someday in the future. 'cause I think that is a, that is an untapped message that needs to really be hit well. So thank you for having me.

Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.