Todays’ interview is with Steve Sidhu, owner of CSS Partners LLC, whose tenure in technology space spans for almost 40 years. Half of that experience been in cybersecurity and identity working for global organizations such as CA, HP Consulting and Ernst & Young.
We at Vietnam Insider had the privilege to interview him previously on topics covering effective sales and digital transformation.
In this interview we wanted to tap into his experience on passwordless and the significant rise on phishing attacks, scams/sms and the way forward. As we all know passwords have been in existence since 1960 and with the advent of the smartphone more and more applications have placed a burden on users to remember passwords and at times individuals share these from work to even personnel life.
We hear so much exposure through social media and other channels on phishing attacks related to passwords and these stories or articles are the catalyst to moving society toward passwordless. Could you enlighten us on some data at a global level related to these attacks and costs to the company?
On phishing attacks there is considerable data available by various organizations however I have presented a cut down version. Lets’ look at some data to bring things into perspective.
Following report from IBM highlights the cost to a company in terms of data breaches. It is quite overwhelming and yet some organizations at times still unable to step up to the mark.
What is the market size of passwordless by 2025/2026? In your opinion what regions do you foresee high instances of passwordless deployment?
One study from Kuppingercole estimates by 2025 the market to reach 6.6B USD with their analysts predicting that the Compound Annual Growth Rate (CAGR) going up to 31.1%.
In my opinion, North America, EMEA, Japan and Korea are highly visible markets being early adopters and others to follow in the time coming.
Another study by Future Market Insight below shows the BFSI industry sector leader with North America with the greater market share for FIDO Authentication.
What industry standards exist today that bring secure authentication protocols? Who are these organizations?
One leading organization steering secure authentication protocol is the FIDO Alliance, a global non-profit organization that has been working to make the web more secure since 2012. FIDO Alliance was founded by Nok Nok Labs, Infineon, Validity Sensors PayPal, Lenovo, and Agnitio. Thereafter FIDO (Fast Identity Online) was launched publicly in 2012 with the aim of reducing the reliance on passwords. In 2014 FIDO has released two protocols namely; FIDO Universal Authentication Framework and FIDO Universal 2nd Factor. Since 2018, FIDO introduced FIDO2 incorporating Webauthn and Client to Authenticator Protocol (CTAP) and is simply asymmetric key pairing match of both private and public key. FIDO Alliance aim is to eliminate the password with greater security, remove problems such as password resets, friction and heighten the meeting of regulatory compliance and standards, user convenience and providing strong authentication. Organizations can now replace passwords with stronger hardware-based FIDO2 security keys or biometrics such as fingerprints or facial recognition to significantly reduce phishing attacks.
With the introduction of passkeys by Apple, Microsoft and Google utilize this is a password replacement for user convenience, providing more secure sign-ins to websites and apps across a user’s devices. A user can access their FIDO credential on more than one device without the need to re-register. More info please refer to: https://fidoalliance.org/
Could you explain what is phishing and we hear that two factor authentication and multi factor authentication can potentially be bypassed; is this true?
Firstly, lets define; What is phishing? Act of sending an email or text message that stems from a trusted source with the purpose of obtaining personal information which could be passwords, credit card numbers, or other sensitive data to be used at some stage.
We had seen that from late 1980s, the market had many solutions for 2FA and MFA with companies’ willingness to deploy 2FA/MFA methods. 2FA encompassed entering login name and password (something the user knows) followed by second step involving the user receiving a OTP or code through or an authenticator app on their phone, which they need to enter to login (something you own).
The benefits of using 2FA/MFA against phishing attacks was that the attacker had little use of the stolen usernames and passwords. During authentication, it prompted for a second or multiple factors directly from the user’s device, such as PIN or biometrics thus prohibiting attackers from gaining access.
It is important to note that 2FA can no longer be guaranteed against phishing attacks. There are many ways for hackers to get around the system and access an account. The first way is to bypass 2FA protection by guessing the password, or using a brute force attack. The second way is more severe, whereby through social engineering the hacker poses as a customer service agent and asks for the user’s 2FA code, or even call the bank and pretend to be the user asking for their online banking details.
Third way is to trick the user into typing their MFA-provided credentials (OTP) into a fake web site.
Or even carry out BiTM or MiTM phishing attacks. Tools are available to bypass 2FA and legacy MFA.
Lastly, even to the fact the customer is sent a phishing sms indicating to click on the link as their card has been used in another country. When the customer clicks the link and signs on in fact, they are directed to a spoofing IP address being a duplicate of the bank web page with the hacker taking over the account.
Banking industry faces the highest incident rate of phishing attacks and such cases above have already occurred to a fair percentage of banks and its time now for financial organizations to step up and deploy true passwordless to combat this menacing problem.
Industry answer is FIDO2 authentication, which provide users with strong authentication where the end users can authenticate via the browser or an external authenticator whether that be hardware or software keys. Something you have, something you know and something the user is will provide the strong security to eliminate phishing, credential stuffing, man-in-the-middle attacks, and exploitation of stolen credentials. Passwordless authentication not only has cost benefits yet provides the highest level of authentication security.
What have been the key factors limiting an organizations’ ability to move to passwordless?
In my observations and professional opinion, here are some factors as follows:
- Organizations digital strategy may lack passwordless as forward key initiative;
- Priority in terms of spend or simply no budget;
- Level of maturity in terms of passwordless;
- Positioning and prioritizing passwordless based on their current versus possible projected solution;
- Does the company place heavy reliance on 2FA, OTP’s or hardware tokens? ;
- Clear demonstration of ROI, TCO and NPV to management; and
- Ease of deployment
In my opinion much of the resistance limiting an organization deploying passwordless can depend on geography, passwordless maturity and internal reasons within an organization.
In your opinion, who are the major global players that provide passwordless authentication solutions?
From my opinion, the key players in the marketplace providing passwordless solutions are namely; HYPR, Transmit Security, Yubico, HID Global, SecureAuth, Thales, Daon, 1Kosmos, MiTek, Feitian, Onfido, LogonID, Authentrend to name a few. These organizations have been supplying solutions for a considerable time to the market at a global level.
Should organizations engage in utilizing a consulting firm to develop business case studies to justify deployment of passwordless?
Yes, predominantly the main objective in using a consulting firm is to:
- Assist in understanding the current state, digital strategy, problem areas and recommend solutions that best fits in a capacity to be vendor neutral.
- Aim is to present to management and the board the tangible benefits that passwordless brings to the organization to eliminate all possible risks including ROSI.
- Organizations provided with workshops and be educated in the intrinsic value of removing passwords and not be a victim.
CSS Partners LLC has over 150+ years of aggregated global experience and very familiar in developing digital strategies and business cases to ensure completeness and organization acceptance. The companies’ consultants have deep knowledge in technology, security risks, audits, financials and understanding business requirements coupled by positioning the most appropriate solution to fit the company’s requirements.
As an organization such work, we carry out for any company located in any geography.