Things to know about passwordless security: no, criminals will not cut off your thumb or peel the skin off your face to steal your biometrics and hack your network. And yes, C-suite executives always ask Wolfgang Goerlich, advisory CISO at Cisco Duo, this question.
Excerpt from: Why Cisco Duo’s on a Quest to Kill the Password.
“Everybody does,” he said. “We’ve seen so many ‘Mission Impossible’ movies — we know the risk. But here’s the thing: if a criminal is able to clone my biometrics, get ahold of my phone, get ahold of my computer, and bring those both into my home office, and then authenticate as me, and then only open up the applications that I normally open up during business hours, at that point I may just hire him as a contractor.”
He encourages CISOs to “bundle” passwordless with other zero-trust security tools such as identity and access management. “Partnering identity with passwordless is very appealing because we can establish that strong user identity with strong authentication factors without requiring more user effort. So this is a rare opportunity where it can actually reduce the amount of work that they need to do to establish that strong authentication.”
Wolf’s Additional Thoughts
As part of the design series, I have put forth the idea that being ahead of the curve is being ahead of the criminal. The early adoption of a control — doing something right but rare — has surprising stopping power against common attacks. I expect organizations who are early adopters of single strong factor authentication, passwordless, will have this sort of surprisingly strong defense.
Well, for a while. When adoption reaches critical mass, the criminals will be highly motivated to work around passwordless authentication. We have seen this with strong second-factor authentication and criminals adopting phishing and proxying to bypass this control.
Therefore, my strong recommendation is pairing passwordless with additional anti-fraud measures. Include the device identification in the authentication. Include behavior analytics (where, when, how) to further bolster trust in the authentication. We can predict criminals will work around these authentication methods, so let’s move now to put in place compensating controls to detect and prevent their next move.