Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Passwords are a pain in the neck for computer users and easy for hackers to work out. Yet they persist, despite the availability of alternates. Now tech vendor Cisco reports a sharp rise in the use of biometrics and other forms of multi-factor login, and greater interest by IT executives to move past passwords altogether. Cisco’s Global Advisory Chief Information Security Officer Dave Lewis spoke to Federal Drive with Tom Temin for more.
Tom Temin: So this was a study of executives in IT. And it seems like the pandemic from what I read in the report is maybe the forcing factor to finally move past passwords, which is something IT executives have been talking about for decades, it seems.
Dave Lewis: Yeah, we’ve been stuck with this since basically 1962, when it was implemented as a control at MIT, because students were stealing high-end compute time from each other. And the professor there said, OK, there’s enough of this and put that control in place. And we’ve been living with that as a security “control” ever since. And the problem is, it’s basically equivalent to using a house key to get into your house, right? You sure you can lock the door, but if you lose your key and somebody else uses it, it doesn’t mean that the person coming through the front door is the right one. So we have to look at ways that we can effectively democratize security. And by virtue of that, I mean, making it easy for people to do their jobs without having to worry about security for the sake of security. So we want to make sure it’s done in a safe and secure fashion. So multi-factor authentication, biometrics, passwordless – these are all controls that we can put in place to help improve things. And yes, the pandemic has absolutely driven a lot of this conversation, because you have all these people working remotely all over the globe, and passwords have limited utility. And the attackers know this. And when I say attackers, I mean hackers with criminal intent. They target folks because they’re playing on their insecurities as a result of this new paradigm that we find ourselves living in.
Tom Temin: And most of the multifactor authentication systems, and a lot of them came in with people using VPNs more, is still your password. And then you get a generated code that lasts 60 seconds from one of the vendors that does that. But biometrics hasn’t really seemed to catch on that much in the log-on space. Is it necessary to get past that six-digit code? Or is that good enough? Or is there even a better way?
Dave Lewis: There’s definitely better ways. There’s push-based technology that will send a message to your phone that you could authenticate with a device that you’ve already been enrolled with. But more importantly, a lot of the devices that we see in the market today have fingerprint scanners built into them. So this is becoming socialized with the consumers at large. And these consumers work in enterprises, and they work in federal government space, and they all are taking that message into their own organizations saying, “Well, I can do this on my phone at home to get into my banking, why can I do this for work as well?” So the message is spreading in that regard.
Tom Temin: What about facial? Because a lot of the phones now the smartphones do facial?
Dave Lewis: Yeah, and facial recognition, absolutely. That’s another biometric factor as well. And the thing that people have to understand is these scans are not being held by some corporation that can be accessed. These – this data is stored in what’s called a secure enclave on the device. So when it’s stored there, that means people can’t get at it other than yourself. So it really does reduce the risk to the individual as fundamentally as well as the the enterprise or the government agency. So they don’t have to worry about marshaling that data, because that’s one of the biggest problems we have to deal with today. Is organizations being good stewards of the data that they have.
Tom Temin: Got it. And so what is the persistence of the password, then, when all these things are so eminently out there?
Dave Lewis: Well, you know, humans have opposable thumbs, but we haven’t really got that far down the road. And we are very used to doing things a certain way. And we are fundamentally not good with change. And this is one of those things where we have to make it clear to the wider audience that this is a good change, this is going to make life easier. You know, I was a customer of our product back before I ever joined the company. And I realized very quickly the value proposition of being able to do something as simple as scanning with my thumbprint to get in. But it’s also has to be clear that this is done in a safe and secure manner. This is not just simply, we’re doing this purely for the sake of convenience. We’re doing this to help those that are doing, working in finance, working human resources. All the folks that are not technically savvy, and they want to be secure as well. But they don’t necessarily have the capacity to understand how to ask for that. So we have to, as security practitioners be the adult in the room.
Tom Temin: But as an organization, there is also a lot of built in, I guess, infrastructure around the password. It can be stored in Active Directory and other similar systems like that either on premises or in the cloud. How do you store someone’s face and disenroll them when they leave the organization for example? There’s more than just alternative to password because of the infrastructure built up around password.
Dave Lewis: Exactly. And that is a sunk cost that every organization on the planet that has a password control, they have to realize that they are figuring out how they’re going to move from point A to point B. And when they’re looking towards changing to multi-factor authentication, biometrics, and what have you, further down the road they are not storing that data as the fingerprints or the facial scans in their own systems. But they do have the account in their system so that when somebody departs, say a federal organization or a company or what have you, they can deactivate that account. And then that cuts off their access. The scan of the face, the fingerprint are resident on the device. So that is not something the company or the agency has to worry about, because they’re not actually stewards of that particular dataset.
Tom Temin: And from what I understand, facial recognition is getting so good, it can almost distinguish between twins.
Dave Lewis: It is actually fundamentally doing exactly that. At one point, my daughter was able to scan and use the facial recognition to scan into my wife’s device. That is no longer possible. They are – they were very close at one point. And now it’s definitely a case of the phone goes, “Yeah, you’re not who I think you are.”
Tom Temin: Yeah, reminds me of the old ad “only the hairdresser can tell for sure.” We’re speaking with Dave Lewis, he’s Global Advisory chief information security officer at Cisco. And I want to get to the survey, which came through the Duo Security part of Cisco. What did you find? It seems like there’s a definitely a movement afoot almost to get past the password in an organized way, in a lot of large organizations.
Dave Lewis: Yeah, a lot of organizations are seeing an increase in, biometrics, for example, like we were talking about with fingerprint scans and facial recognition about 71% bump in the number of devices that actually have biometrics enabled. Because handset manufacturers are realizing that this is definitely the way forward. And this is going to help socialize us with a wider audience. As well, we’re seeing password-less authentication has increased as well, roughly five-fold since 2019. So it is definitely being adopted for most organizations as something that they have to realize they’re moving towards. Because you know, the house key analogy is salient for most organizations. When you look at the amazing number of data breaches we’ve seen over the years. There’s a great data visualization website out there called InformationIsBeautiful.net, and they do presentations of all sorts of datasets. One of them is data breaches. Now, if you go back about five years, there were just a few bubbles on the screen. But now it’s an absolute wall of data breaches. So organizations realize that they have to do a better job, because when the attackers get these credentials, they’ll then replay them against other sites in an attempt to gain more access. And there’s a huge financial incentive for them, because the old way of hacking into a website and defacing it and saying, “greed stole my friends,” has limited utility. That has really – it’s really manifested into a major industry on the criminal side, at least.
Tom Temin: Now, public policy for federal agencies coming from the Biden administration, as they try to update security policy for agencies is calling specifically for two-factor authentication. But it doesn’t say what the two factors are. If you eliminate the password and go to say, facial, or biometric – and that’s, that’s Duo’s business – do you also need a second factor? Can multi-factor be that six-digit code plus your face but no password? Or how does that work?
Dave Lewis: Well, honestly, it really is less about the technology and more about the requirements of the agency or enterprise. So you know, if you’re making teddy bears for centrifuges, you’re going to have a different risk profile. So it really boils down to what is the outcome for that organization, because the technology is there. You can tailor it according to your requirements. And the organizations that are out there have to sit down, say, before we talk to a vendor, we want to know, what is the outcome where you’re trying to achieve? What are we trying to protect in our organization? So yes, you want to do all sorts of different levels? Yes, you can. But do you also want to alienate your workforce? You want to make it as easy as possible. And this is why I talked about democratization of security and password-less is a great example. It is two-factor authentication as well, because it is who you are, and what you have. So you have to authenticate with your thumbprint. And then it is done in the background, transparent to the user. So the authentication mechanisms are still there, it just now it is easier for the end user to get their job done and fundamentally focus on their core competencies.
Tom Temin: So you’re saying that if you use facial or thumbprint then you have two-factor inherently because you have the device and you have the thumb?
Dave Lewis: Correct.
Tom Temin: Yes, because someone else with my device couldn’t use my thumb, nor would my thumb work on someone else’s device, ah ha!
Dave Lewis: That is the plan, yes.
Tom Temin: Got it. OK, now I understand. So if if you insist on that six-digit code, really, you’re backing into three-factor, and that might be overkill in a lot of instances.
Dave Lewis: And that’s just it – you want to make sure that usability is a factor because you are dealing with the human element. And if we don’t take that into consideration, then people are going to find ways around systems. That’s why we see skunkworks projects spin up. That’s why we see people finding new ways to get into systems so they can get their jobs done. It’s not even so much out of malice. It’s out of – they want to remove the roadblocks so we have to make this as seamless as possible.
Tom Temin: Dave Lewis is global advisor chief information security officer at Cisco. Thanks so much for joining me.