Cyber Leaders Exchange 2023: Okta’s Sean Frazier on killing the password dead

In mid-July, the White House hosted federal and industry cybersecurity leaders to hammer home the point that the time has come to fully adopt phishing-resistant multifactor authentication.

The goal of the meeting was two-fold, explained Sean Frazier, federal chief security officer at Okta, during Federal News Network’s Cyber Leaders Exchange 2023:

• First, reiterate the importance of using strong MFA “to achieve a simple, seamless and secure digital experience,” he said.
• Second, continue the conversation started with the release of the National Cybersecurity Strategy, which called for the public and private sectors to align technology strategies to address shared security goals in an interoperable and usable way.

Using multifactor authentication is a new idea. All the guidance around identity and access management from the Cybersecurity and Infrastructure Security Agency and others says to use multifactor authentication.

“But not all MFA is created equal,” Frazier said. “That was one of the common threads of the symposium — to talk about phishing-resistant factors. How do we think about multifactor authentication and a better user experience? And how do we make this is really the jumping-off point to start talking about getting rid of the passwords and making passwordless authentication a real thing?”

As Frazier pointed out: “We’ve been talking about getting rid of passwords, I would say, for almost 20 years. Part of it is the technology had to catch up to where we are.”

With FIDO2 passwordless authentication and other approaches that work on mobile devices and desktops equally well, the opportunity to finally “kill the password dead” is here, he said.

That’s why the White House’s meeting emphasized the need to get past the need for usernames and passwords once and for all.

Any MFA is better than no MFA

Phishing-resistant MFA is different than just regular MFA. Frazier said phishing-resistant MFA means there is no ability for a man-in-the-middle attack where a bad actor can capture someone’s information from the authentication stream.

“It includes some things like the user origin binding and it includes things like the device binding,” he said. “Even if the person got anything off of the wires or the conversation, they could not use that to impersonate you.”

With nonphishing-resistant MFA, attackers — who Frazier noted are getting more sophisticated and faster — can capture code that is texted to a victim’s cellphone or sent to an email address.

“I always tell people that that any MFA is better than no MFA. If you’re telling me you can’t do any MFA, and the only thing you can do is SMS, I’d say, ‘OK, do that,’ ” he said. “But anytime you have something that you know, like a password, and also something that’s going to be shared with you like a one-time password, it’s really not that difficult for attackers to either figure that out or figure out a way for you to give it to them or figure out a way to sit in the middle of that conversation and pull that off the network and use it on your behalf.”

The use of phishing-resistant multifactor authentication is therefore a fundamental ingredient in the implementation of any zero trust architecture.

Frazier said he’s seen the use of strong identity and access management mature across the government over the last few years.

Finding the right friction balance

But culture obstacles continue to hamper agencies in reaching a higher level of maturity, he said.

“To me, it’s almost an evolution not a revolution, so these changes are not nearly as big as they seem upfront,” Frazier said. “But some people are still resistant to change because we’re human beings. It’s kind of what we do.”

He described that cultural shift as moving from protecting everything on a network — using firewalls, intrusion detection systems and intrusion prevention systems — to moving security to the endpoints, essentially every user device and all applications. “That’s a big fundamental shift for folks,” Frazier said.

To address that requires continual communications across organizations, he advised. Agencies need to develop communication and action plans to ensure leadership and frontline workers understand the changes that are happening. Frazier said some agencies and organizations are finding success in changing culture through a center of excellent approach.

A center of excellence approach lets an organization handhold its users and provide a strong communication platform to keep everyone informed, he said.

“This is not a government problem or an agency problem,” Frazier said. “This is a writ large technology problem in society, where you need to have that ability where you meet the users where they are, provide very little friction for them and provide all the friction to the attackers as you build a robust security architecture that is flexible enough to support that.”

And that user experience matters a lot, he said. “I am just as passionate about good user experiences as I am about good security outcomes. I think this is one area where we have challenges where we as security people like to be the people of ‘No!’ We’re going to tell you what you can’t do because we’re security people, and we have to figure out ways to enable people so we are the people of ‘Yes.’ ”

Why? It’s simple, he said: If security teams create friction for users, the users will find a way around protections. Agencies must therefore strike a balance between mitigating risks and creating good UX, Frazier said.

“We need to make sure that not all the onus for security is put on the end users, which is back to the password. … For the most part, I think that the burden for a lot of this, as builders of software and builders of security, should be put on us. We should build secure-by-design things. We shouldn’t rely on the end user being able to configure things appropriately.”

For more cyber tips and tactics, visit the Federal News Network Cyber Leaders Exchange 2023 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.