SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Interview: Yubico ANZ vice president on passwords in the modern world
Thu, 7th May 2020
FYI, this story is more than a year old

This week marked World Password Day - and although passwords are still the primary way of accessing all of our accounts, should that still be the case? We spoke to Yubico's ANZ vice president Geoff Schomburgk to find out his thoughts.

As a brief introduction, could you explain a little about yourself and the team you work with in ANZ?

I have a background in engineering and strategy consulting with over 25 years of experience in the global information and communications technology (ICT) industry. At Yubico, my team is responsible for educating enterprise users in the APAC region about why strong authentication is critical to a security infrastructure. Once an enterprise customer is ready to explore modern authentication, we help enterprises onboard the right solutions strategically and efficiently.

Many of our readers will have at least seen some talk about why passwords are dying, or in some cases dead.  Though here we are 2020 and although there are more security authentication methods than ever, passwords are still very much alive and kicking.

What is it about passwords that makes them so ubiquitous and long-lasting?

Passwords have lasted so long because of the simple user experience, everyone who has used a computer has had to set up a password, so the process is now embedded in our collective psyche.

A username and password used to be sufficient at protecting users' online accounts and at one point, they were easy to manage. As more services have moved online and technology has grown to be more advanced, so have the phishing and cyber attacks. Passwords are not strong enough to solely protect online accounts. In fact, 81% of breaches are caused by stolen or weak passwords.

Although passwords are still alive and well, there is a growing demand for a world without passwords – especially with the rapid growth of remote work and an immediate need for a secure, but usable solution that is also easy to deploy. With open authentication standards, like WebAuthn and FIDO2, a passwordless future is attainable.

Yubico has a different approach to security, ditching passwords for physical YubiKey keys across different device types.  

Could you explain how YubiKeys work, and what separates them from other authentications such as tokens?

A YubiKey acts as a physical key to your digital world and secures your online accounts, just like you have a physical key for your home and your vehicle.

The YubiKey differs from traditional tokens in that they can be used simultaneously across many differing applications and environments, whether at home or work. and across your personal and business applications.

We do this by supporting eight of the most common authentication protocols in use today on a single YubiKey that allows for a simple and easy to use touch capability that removes the need to type one time passwords or use passwords at all.

Additionally, the YubiKey does not require batteries, is extremely durable and easy-to-use whether you have an iPhone, Android, MAC or Windows device.

From an ANZ perspective, what are you seeing in the market – what is driving organisations to make the change to passwordless security – or what is holding them back?

We're seeing that enterprises are moving to passwordless because current MFA solutions are too cumbersome for most users. When it comes to security, it must be usable or else it risks being rejected by users.

Secondly, the groundswell of user adoption of simple login options on their favourite device is driving demand for organisations to provide a similar experience in the workplace.

Passwordless achieves optimal usability and convenience while also maintaining a high level of security.

In terms of why organisations might be hesitant, typical organisations believe that there's a high level of overhead involved when optimising a security landscape and many have limited IT resources. Also, passwordless authentication is still in the early adoption stage and not fully mainstreamed by services — although, it's moving in the right direction. WebAuthn is now supported by all major browsers and operating systems including macOS and iOS Safari, Google Chrome, Brave browser, Microsoft Edge, Azure Active Directory, and Windows platforms.

Imagine that a CISO says to you that their current authentication methods work just fine. How would you explain the benefits of going passwordless?

The benefits of passwordless fall into two main categories, simplify security, simplify the user experience.

If there are no passwords in your organisation, then this also removes this as an attack vector for adversaries. The login experience for users is also quicker than traditional 2FA methods which over time reduces friction with users and delivers time efficiency across the day to day use.

An added benefit is a reduction in support costs.  There are costs associated with any authentication method and it has been proven that moving to a passwordless or modern authentication method will reduce the support overhead by up to 92%.

With the YubiKey supporting both legacy and modern authentication protocols, organisations can onboard passwordless authentication in stages, rather than all at once, ensuring secure authentication (locking their front door) that also provides users with a seamless user experience.

And what could be some of the considerations or drawbacks?
    

The drawbacks or barriers to passwordless adoption generally fall into two main areas:

i.    concerns/fears about the disruption that it might cause to the business.  This can be mitigated by educating your users on the simpler login experience they will realise by no longer having to remember passwords for their corporate experience.

ii.    misconception about the cost of implementation. With the introduction of passwordless capability comes a reduction in support costs for existing methods. Having no passwords means no password management!

But generally, these potential barriers are outweighed by the benefits of increased security and improved user experience.

Any final thoughts to mark World Password Day?

Yubico and the passwordless journey relies heavily on customer voices. If your favourite services or business-critical applications aren't meeting your authentication standards, you should let them know that you'd like to see stronger authentication options, like passwordless, available. Customer feedback is an important catalyst for passwordless adoption and implementation.