Why Your Best Passwords Are No Passwords

Introducing Bravura OneAuth

Eliminate the Security Risk of Legacy MFA with True Passwordless Authentication

How well is your organization really protected against two of the most prevalent cyberattacks: phishing and brute force attacks? According to a recent Bravura Security study, nearly half of IT, security, and cybersecurity leaders still store passwords, a leading cause of attacks, in shared office documents and other insecure methods. IT leaders are now looking to eliminate corporate risk by never requiring a user to remember passwords again and provide superior security to traditional MFA solutions, which aren’t working. The status quo isn’t improving security or productivity. According to HYPR’s study, 89% of organizations believe passwordless authentication provides a superior user experience and the highest level of authentication security. 

Watch this thought-provoking webinar recording to learn why passwords don’t really work and what you can do about it by eliminating the threat vector of passwords with a passwordless sign-in experience. During this webinar we will discuss:

• How to reduce the risk of compromised credentials by replacing traditional, tedious, and poorly adopted MFA methods and removing remembering passwords from the equation.  
• Making authentication for your workforce as easy as unlocking a cell phone yet significantly more secure than traditional MFA solutions.
• Implementing unparalleled security assurance and a frictionless consumer-grade experience that delivers on speed, simplicity, and significantly increased security across your security fabric. 

Review the Full Session Transcript

No time to watch the session? No Problem, Take a read through the transcript.

David Davis (00:00:08):

Hello and welcome to today's webinar, why Your Best Passwords Are No Passwords. This special webinar event is presented in partnership with our friends at Hitachi ID and Hypr. Thank you so much for joining us on the webinar today. We've got a great event. This is going to be a very educational session. We appreciate everyone out there in the actual tech media audience taking time out of your busy schedule to join us and we're going to do our best to make this event educational for you. I should mention my name is David Davis of Actual Tech Media and I'll be serving as the host and moderator on the event today. We encourage your questions right there in the questions tab in your audience console. I see many of you have already said hello and good morning, good afternoon from across the United States and around the world. We love to see that, but we also want your technical questions during the session here.

(00:01:00):

We'll be doing a live Q and A session at the end of the event and we need your questions. So we want to help to make this educational, help you to solve your technology challenges, especially around passwords on security. It's a hot topic today, after all affecting companies of all shapes and sizes out there in the world of technology. So encourage your questions. We also have a best question prize. I'll be talking about that here in just a moment, but first I want to encourage you to check out the handouts tab. It's there in your audience console as well. Right at the top there is the new state of authentication in the finance industry for 2022 report. So make sure that you check out that PDF resource and download that you can peruse it after the event. We'll be talking about that on the event today.

(00:01:50):

There's also two other resources there. There's one entitled Enterprises Lack Confidence in Their Secret and Password Management Framework and Policies out there, so make sure that you check out that resource. And then the third one is the Hitachi ID and Hypr accelerate the path to Passwordless with Revera one Auth a resource. I encourage you to check that one out as well at the end of the webinar today. It's my pleasure to be announcing the winner of the Amazon $300 gift card prize on the live event. If you're watching this on demand, of course the drawing has already occurred. The prize terms and conditions can be found there in the handouts tab. And then as I mentioned as well, we also have our Amazon $50 gift card Best Question Prize. What that means is that you have to enter or you can only be entered by asking a question and meeting the actual tech media prize terms and conditions.

(00:02:44):

So keep those questions coming. We will be contacting the winner of the best question prize after the event. All right, so as I mentioned, today's topic is why your best passwords are no passwords, and we've got two experts lined up here in the green room ready to chat with us and educate us on this topic. Welcome to Mr. Brian Christ. He is with BRARA Security. He's a solutions engineer and he specializes in security and access government. He's been in the industry here for more than 20 years. He has a huge background in today's topic and will be relying on him for his expertise and also I'm excited to welcome now Mr. Ryan Ro Cliffe, who is the field CTO at Hypr Ryan, it's great to have you on also with 20 years plus experience in this industry focusing over the last seven years on identity and access management, multifactor authentication and passwordless. So it's great to have your expertise as well. Ryan and Brian, it's going to be a great discussion. I encourage the audience to ask these experts as many questions as you have on today's topic. So I'll first hand it off to you, Brian, take it away.

Bryan Christ (00:04:11):

Hey David, thanks for the introduction. I know a lot of you online when this was first advertised, signed up for an event that was hosted by Hitachi id. Since then, we have taken on a new identity. We are now reverse security. And so the question is what does that mean mean for you? What does that mean for our customers? It means the same great things. It's always meant we've been around for three decades. We are one of the only providers of solution sets in the market that are focused on the entire spectrum of identity. In other words, both your standing privileges, your highly elevated privileges, password technology, passwordless technology, we've kind of woven into this fabric, what we call the perverse security fabric, is this idea that our solutions should be critical to lowering your operating expenses, allowing your valuable resources to work on the things that matter and not be distracted with the things that don't matter.

(00:05:23):

Also, lower total cost of ownership as part of the equation. I'm not going to rattle through all of the bullets here, but I do want to call one specific to attention in light of the name change, which is that we have longstanding tenured staff within our organization. I think it speaks highly of the organization, but for you as someone who reaches out to us regarding a solution, a problem to solve questions about our technology, what that means is that you are going to be speaking with whether that's an account management or sales or support or whoever you are going to be speaking with someone who has deep expertise in our products and solutions inside and out. This next slide, just a real quick run through the history of the organization. As I mentioned earlier, we've been around for three decades. Along the way, we've introduced a number of products that have been built on top of each other to produce what we call the Vero Security Fabric. For a period of time, we were Hitachi, ID recently now Vera Security and the kind of focus of today's conversation is our technology partnership with Hypr. So with that, I'm going to turn it over to Ryan to introduce, to introduce Hypr.

Ryan Rowcliffe (00:06:49):

Thanks Brian and thanks David for the introduction. For those who are unaware, Hypr is the true pass for this company and to help shape what our mission is. It the way the world, it's time to fix. The way the world logs in is our core mission and we look at achieving that through two principles or two tenants, and that is uncompromising assurance and consumer grade experience. Uncompromising assurance means that we should have the highest level of assurance as deemed even by NIST in 863 B and a consumer grade experience because if we can't get our users to adopt Passwordless, we're not going to be able to be successful. So we need to make sure that every user can adopt and leverage this technology stack, and I'm really excited to be here with Brian and the bravero security team and talking about where passwordless can help augment specifically around your IAM programs and or Privilege Safe and a couple of the other product sets that bravero Security Fabric offers. So with that, Brian, I believe it goes to your slide next.

Bryan Christ (00:07:57):

Yep, thanks. Nope, got it. Thank

Ryan Rowcliffe (00:08:00):

You Brian. We're working on our orchestration together. Brian. We're going to figure it out through this experience together.

Bryan Christ (00:08:04):

Yeah, no worries. So this first slide here, maybe some of you were scratching your head looking at it saying zero trust, operational maturity. I thought I was here to discussion about less passwords. I assure you that's going to be part of it. I want to make an observation on this slide and then I'll kind of unpack the relationship between Passwordless and things like Zero Trust and it's this first one here. I've called out a number of items on what we call the Zero Trust journey or the operational Maturity Journey. I've highlighted a few of them. This first one here, heavy dependence on the perimeter. I go to a lot of trade shows and expos and I'm always amazed if not alarmed, that when I look across the landscape of exhibitor booths, I see a lot of emphasis on perimeter security. So either keeping folks out or solution sets to say, well, if someone gets through, how quickly can we detect that and then do something about it?

(00:09:12):

The problem is that if I unpack, and I'm not going to steal Ryan's thunder, I know he's going to talk about this a little bit later, so I'm going to go 50,000 foot with you here, but if I unpack the anatomy of a very typical attack, it's breach the perimeter defense. So that's typically get a foothold in and then do some reconnaissance, try to move laterally, rinse and repeat until you get to the keys to the kingdom. And really if you spend any time looking at what's happened with Uber in the news, you're going to see that really that was an abbreviated version of what I just described. So sort of the bottom of this is this sort of heavy dependence on the perimeter. How does Zero Trust come into this conversation? How does Passwordless come into this conversation? I want to thank Ryan for just mentioning this there a minute ago, the traditional approach to Zero trust has been microsegmentation.

(00:10:11):

Nothing wrong with it, it was sort of the first kit on the block, but if you think about what it's doing, it's just sort of shrinking perimeter defense into smaller and smaller boxes. NIST recently and their guidance on Zero Trust introduced a new kit on the block called Enhanced Identity Governance. And what you'll see here on this journey to operational maturity, this illustration here presented, the reason I've highlighted a lot of these items is in orange is because if you put them under a microscope, sort of in a Venn diagram sort of way, with the NIST guidance on the enhanced identity governance approach to zero trust, you're going to find either sort of a direct or overlapping sort of correlation between it, that item and this idea of going passwordless. If you don't take my word for it, let me just share this with you. This comes from one of the leading analysts, Inger Cole. They emphasize this tight relationship in a recent journal article about passwordless initiatives supporting these zero trust initiatives, and I've highlighted it here just so I can call it out specifically, but by removing passwords in their misuse and replacing them with more secure options. So there is a symbiotic relationship between passwordless initiatives and that zero trust journey or that desire to grow your operational maturity.

(00:11:43):

Talk about passwords for just a minute. When I was spending some time reading up on what happened over at Uber, I stumbled across an article. It was written by an organization that focuses on education, so that was their wheelhouse and they talked about the necessity of training employees on good password hygiene. I'm not going to tell you not to do that. I think you absolutely need to do it. One of the things that we did earlier this year was we conducted a survey. We asked executives, I think director, VP hire, what are you doing in terms of training your employee population on passwords? So if you do the quick math, you'll see here 94% of the respondents said, we've got some program in place to train our employees on what good password hygiene good practices look like. So the next question that we asked in that was, well, how is that working out for you?

(00:12:51):

What is the outcome of it? And sadly, the quarter of the respondents came back and said, well, we still had a data breach in the last 12 months directly related to poor password management. So organizations are doing the right thing, they are throwing training at the problem, but I've had a sneaking suspicion for a very long time that part of the problem is the human element. You see this little graphic up here. I hadn't originally intended to talk about this, but as we were throwing this slide deck together, I remembered this incident that occurred. I'm on a number, my mother is an educator, retired out of the public school system. And so I see things on Facebook related to education, and I remember this teacher complaining online that at the beginning of the school year, they were going to force 'em to change all of their passwords.

(00:13:46):

And I could make this up, I wish I had taken a screenshot of it, but she literally said, well, the way I solve this is I write it down on a stickum note and I put it on my monitor. And I thought, oh my goodness, this is the quintessential stereotypical thing that is bad practice, but why is that? And I think this survey that bit warden conducted that I've got some of the stats up here for on the screen, really reinforces what I've believed all along, which is it's tough to remember passwords. People don't like thinking that, Hey, I'll need to be here or there or in front of this computer or in front of this device and if I can't remember it, I'm out of luck. It's almost the fear of missing out. And so here's what they do. They pick words, passwords that are easy to remember, and then here's the really bad part, they reuse those passwords on other sites.

(00:14:43):

So despite all of the really good training, passwords continue and will continue to be a problem. And part of it is just because who we as human beings are by our very nature, as we start into this conversation about passwordless, I want to sort of have a little healthy dose of reality here. In many cases, it will be possible to go passwordless. I would say just like you tackle zero trust initiatives, do so in a phased approach. Don't try to kind of boil the ocean all at once and also recognize that there will be legacy systems that you simply won't be able to implement a passwordless strategy with because of the nature of the systems, there's no APIs, there's no integration points. So some of these may live in your organization, but should you go down that phase approach that we would encourage you to eradicating passwords, I think that Ryan is going to share with you some important information about the technology about how Hypr can help with that. And so at this point, I'm going to turn this over to Ryan and let him talk about removing those passwords from your organization.

Ryan Rowcliffe (00:16:05):

Perfect, thanks Brian. And I don't know if I totally take you off screen. I think you and I are both kind of fans of Verizon's DBIR and you and I were talking about how we pretty much treat it like Christmas morning when the report finally comes out. And I know we've been already going over quite a bit on the statistics and evidence of, and the one thing that we sit here and we're obviously advocating the world going and that zero trust and then you have all these other components that if we were to give a negative user experience, as we take these new frameworks and these new architectures and implement them, do we still solve the actual underlying problem which happens to be a password itself, a shared secret? And even with this most recent, which is now almost like a year old, the Verizon breach report stated 82% of breaches involved had stolen credentials or phishing or misuse.

(00:17:00):

And I would almost say now that we're at this point, that 82% is going to be even, it's probably going to grow next year, especially because of what we're seeing publicly reported and that comes from the octopus attacks as well as Uber as you had brought up earlier in the talk today. And what I wanted to do is outline a little bit of just kind of a high level as you were describing what the attack chain looks like and really it all starts with some form of phishing or getting a hold of someone's credentials. And the password itself in my personal opinion, is a toxic asset and it's time for us to get rid of these things where possible. But when we walk through it, attacker initially gets some form of credentials, whether it be from some other supply chain attack or from a dark web acquisition of usernames and passwords and then they just start doing a phishing campaign.

(00:17:58):

It's kind of almost a spray and pray technique and it's very automated and it's very cheap to perform. And then eventually over time we can say it's a MFA prompt bombing or MFA bombing. I don't necessarily agree with the media today. I think it's just still push fatigue because we all have so many push notifications on our devices that eventually the user will accept that notification and or enter their one-time passcode that they've been issued and then the attacker has successfully taken over that account. And when we start thinking about if we were to apply the same technology that exists today that we've used as a best practice historically, and we're going to take on a zero trust initiative, what are we actually technically going to gain outside of the fact that we're going to challenge a user more frequently because we're going to see some sort of pattern or access requests that they need to be challenged for, and if we give them the traditional user experience, it's going to become more annoying than anything else and then those users will attempt to circumvent.

(00:18:59):

We do like to go out and put some statistics to support our statements. As you can see on the slide below, the percentages of organizations that have recognized that they've been phished, that have reported credential stuffing attacks and also those that are seeing an increase in push fatigue as I was speaking about earlier. Now, there is a form of technology that we implemented and I'm really excited about the partnership between reverse security and Hypr and how we can start expanding that foothold on the technology stack, especially when we talk about access grants and zero trust is that if we implement things like Hypr in these chains, then you end up taking away the password altogether and it becomes a standards-based authentication using PKC. As we are giant Fido advocates, our product is heavily wrapped around multiple Fido specifications and if we can actually take that password out of the equation, make it a 100% cryptographically generated or a PKC authentication event, we mitigate quite a bit of this attack surface at the same time of giving users that the same type of experience they're used to logging into any of their consumer services today, and to continue supporting this with more evidence that we did our own, we commissioned our own report from a third party, which went targeting specifically fsis, so the financial service industry, which usually has a little bit more budget allocation for compliance reasons or for regulation reasons, and there was still a very, very high number of acknowledging that this is a problem within even their organizations.

(00:20:46):

They admitted to having credential misuse or authentication vulnerabilities in their breaches and also 80% experienced at least one cyber breach related to weakness in authentication. That's 80%. That number scares me and I think it definitely becomes an indicator for change and opens the door for technologies like Hypr to start mitigating quite a bit of these attack vectors. And as part of that report, we went and had them outline what did these organizations see as their primaries, and once again, I think Brian, you brought it up earlier, was like the human element, right? So phishing is number one in this list that came from this report. That means that even phishing education and phishing training, it's not getting us there. We're not getting to a mitigated approach and not to pick on other products that are doing email scanning and trying to stop the actual phishing from emails.

(00:21:49):

I mean, what happens, let's say we do get successful with blocking emails coming into users. I'm pretty sure all of us who are in industry have been spammed over SMS to click on links and even some who have been spammed on just even LinkedIn or any other platform that anybody's account gets compromised, those links will start flying in those platforms. So even if we try to solve this through education and other technology leaders, in the end, the one main target is that password or credentialed to get a user to authenticate and offer up their passwords. So maybe we need to start thinking about it more from the angle of let's not put passwords in the human's hands. Let's move this into a technology stack that can actually deliver that level of assurance and security. So what's the belief versus our actual true reality is most of those respondents came back saying that they don't think that their current authentication methods could actually secure their environment.

(00:22:50):

That's no good, that's scary and that there should be something that gets taken that should invoke an action to be taken, but we usually have to wait for certain things within industry. I've seen personally that it's pending either a compliance objective, regulation objective or it's some sort of negative outcome that produces budget or awareness. And how many, if we were to take on this initiative and say we did get budget for an MFA project, are we using the right MFA based off of just this last year? I could probably almost start making the statement and claims that vulnerable MFA does exist now and the likes of anything that can be entered into a web browser or interface, anything that is sending over SMS, all of these are fishable components now they can be and they can be exploited. So maybe we don't have that same warm blanket feeling of deploying MFA, even though it might hit that checkbox for compliance that could be problematic and not necessarily achieve the goal that we were hopeful for when we deployed it.

(00:24:01):

So once again, advocating that we get the passwords, we get the shared secrets off the table, we end up increasing our security profile, we end up being able to be more future proof, especially aligning with ZTA architectures where we are going to be a little bit more dynamic, a little bit more continuous authentication events where we don't want to necessarily impact our users so poorly that they're going to want to go run away or not be happy with our implementation of that framework. So what would we define as the values that we can actually give to our organizations through delivering passwordless and as well as a couple other components that we have in this partnership with braa security is that eliminating auth as in a complete attack surface is I think the biggest of them all. Once again, I'm very adamant on the fact that passwords are toxic assets, passwords are terrible, shared secrets are terrible, and it's time for us to mature away from it.

(00:25:03):

Being able to cover your desktops and your cloud services, the amount of SaaS sprawl or application sprawl that they're all out there, you need to be able to have this across the board and improving experience as one of our core tenets as I started out earlier, is a consumer great experience. We need to make sure that even our enterprise users, our regular users, me as a personal user interacting with services, we should be demanding and advocating for our own passwordless experiences that we're not having to have an over below to password manager or having to have any kind of family members writing passwords on sticky notes. And we want to increase the productivity of employees. So if we're going to be pushing MFA out to every employee and challenging 'em more often, we need to make sure that they stay productive and not having a problematic experience.

(00:25:59):

I should say. We have spent quite a bit of time in our industry on password reset help desk calls and just password resets in general. Well, let's get rid of those passwords and no longer do you have a password reset. There are some other things that would come along with that, but the bulk of that is going to separate and slip away from your day-to-day operation management and then deploying a password solution Hypr paired with reverse security or one-off actually produces alignment with OMB specifications as well as NIST guidance and also starts even helping in some of the Mitre attack frameworks and mitigating quite a few components along those chains. And then regulatory compliance, regulatory compliance and cyber insurance. I kind of mix these two together. We have to do certain things for regulatory reasons, but now we are starting to see more often than not that cyber insurance is actually cutting premiums or not giving any coverage at all.

(00:27:09):

If MFA is not deployed and they're starting to sprinkle in that there has to be phishing resistant MFA, which is a really key indicator now, especially for what I was saying earlier where phishing is prevalent, it's always going to be prevalent as long as there's a way to communicate, someone's going to find some way to use phishing to their advantage, and phishing resistant is something that should be deemed as our defacto standard moving forward with that though, I do believe this goes into a transition with Brian. I don't know if I missed anything on topics. I know I was going to ask you, Brian, if I was missing anything that you would keep me honest and make sure I covered a topic before we jumped into any other slides?

Bryan Christ (00:27:53):

Yeah, we can go ahead in advance to the next slide, but I actually did want to draw you back into something that you and I discussed earlier this week, so we'll just go ahead and move on to the next slide. But one of the things that you and I talked about is the difference in approach that the technology behind Hypr brings to the table when it comes to centralized something being centrally compromised versus can you unpack that, you know where I'm going with that?

Ryan Rowcliffe (00:28:27):

Yeah, so that is, you're right, and I totally did miss that and that's why I bounced off you in my older age. I forget things from time to time, so I will use that as an excuse. So part of the implementation and the technology and the benefits of leveraging these type of standards like Fido is that it is really starting to move to a decentralized deployment model where in short, the only thing that's really being stored as a public key, and if you were to say enroll and use, if an attacker wants to get your account and get access, they actually have to work specifically to compromise that mobile device that has been registered and that's bound to you and actually have to go through breaking all additional levels of security within that mobile device to try to unlock a private key that will never be exported from a secure enclave or trust execution environment. So by doing that, we only have a public key that's being stored for validation and no longer is it about the old fashioned protect our directories and put all these moats and put up all the walls and put all these items up around our directories because they hold what the passwords and credentials and all of our specific information now to actually authenticate a user, the user is empowered by them having it on their device, which starts separating the attack model.

(00:29:55):

I can't go be a bad guy try. So let's play out the Uber story, sorry Uber, but you're most recent, so we'll make the reference attacker made access was able to laterally move and was able to get ahold of some credentials to even elevate the right. In short, could dump all of the users' passwords within that environment, store 'em off in some storage location and then just do hash matching, hash cracking. There's the world's largest database out there about what, 3.5 billion known passwords and then you can find a match and now you've just got a hold of everybody's passwords. Now granted in this story, somebody was bragging a lot about their access, therefore everybody is now aware that that data could have been exfiltrated and the IR team is most likely telling every user to change their passwords. But if you think about it, that is what most of these attacks have been doing is getting access and exfil that data out so that they can either create new accounts or share out that data for monetary value.

(00:31:08):

Now with Passwordless, once again, if you were to say be phished, that user would have to be informed and know that they're taking that action so it's not a push bomb anymore. They're actually going to have to go and open up their phone and scan a QR code or take an action specifically. So it's user initiated. It's that human cognitive behavior that we already kind of have somewhat ingrained in us, which is we sit down on our machine, we type a username, and then we type our password. Well, we're doing that as we initially access our machine because that's our process. It's a human cognitive function, not a response function where we get a push notification, we just accept. So we take on that same type of model by actually putting it back into the power of the user to say, I'm actually wanting to execute this action and now that helps mitigate that phishing technique and as well as once again, the credentials don't exist. So zero shared secrets, hopefully I went on that rant and hopefully that rant ended up answering some of what we were supposed to talk about.

Bryan Christ (00:32:14):

Yeah, no, that was exactly what I had in mind. I wanted to make sure that the folks on the line understood there was a fundamental difference of approach between how the Hypr technology in a mobile app, they look similar, right? If I compare it to every other kind of mobile authenticator out there, the user experience is very similar, but actually what's going on under the hood, there is no centralized Hypr directory that can get compromised. Worst case if someone's phone and it would be very difficult to compromise someone's phone, but if they did, that would be the extent of the compromise. So this slide here that I've left up, sort of the thing here is, well, what does that mean for the BRERA security fabric? Well, it means that our new product, brera one-off powered by Hypr brings all of what you just heard as I was walking through what I was going to say on this slide, it is actually a little bit challenging because I knew you were going to talk about all the great technology and what we're saying now is that that great technology comes to the entire Revera security fabric and it does it in such a way that it's almost out of sight out of mind.

(00:33:32):

I'm going to focus a little bit on this next slide and go a little bit product centric here. I'll start first by talking about Vera Pass and Brera identity. The two sort of go hand in glove Vera identity. Let me kind of pause where I'm at and ask you as the audience think back to that first slide that I started talking to the one about zero trust and operational maturity and the NIST framework for the enhanced identity governance approach to zero trust architecture and realize that what I'm doing here is I'm overlaying our product on top of that journey. And so Revera Pass and Revera Identity go hand in glove. Revera identity is for the acquisition, the rightful acquisition of the standing privileges of a user. So these would be the daily drivers, your Salesforce, your Google Suite or your Office 365 or the things that a user needs to do their work and Vera Pass is the piece that pushes you into those systems through a standard like saml.

(00:34:51):

So if you can imagine the experience with Vera one-off, you simply authenticate into the fabric and then now you're just with a click of a button, you're into Office 365 and guess what? You never saw a password at any point in time in that entire process. Revera privilege is kind of complimentary to this. So if you take the time to sort of unpack what happened in the Uber attack, I'll say my apologies to Uber too, but there's the standing privileges and then there's your elevated privileges, your keys to the kingdom, and I talked about the anatomy of the attack. Well take the privilege conversation, take the privilege experience and imagine authenticating into Vera privilege with one off being really seamless. Then when you need to do that elevated work as an admin or operator, you get launched into an RDP session transparently. You never saw the password or SSH or SQL or whatever that thing is.

(00:35:57):

Again, no passwords out. I did caution on the offset of this conversation that there will be a world in which it will be very difficult to get rid of passwords, completely legacy systems, some web systems that can be a little bit of the wild west. There's no standard there. We're not going to be able to leverage that. But for all of those kinds of things, we have Revera safe. Revera Safe essentially manages what I call decentralized secrets. I like to give an illustration. I'll start with something that I mentioned early on, which is going to these trade shows, in fact, I'm going to be at EDU cause here in October. So if you're on the line, you're planning on going to that show, please come by our booth. I'd love to have a greater conversation with you, but I have to register for EDU cause and it requires a username and a password and there's no standard there.

(00:36:51):

But if in this march toward passwordless, what if I can at least authenticate into reverse safe using one off? So never seeing a password have reverse safe, generate a password that I never need to see copy and paste, and then I've eliminated that temptation to reuse a password and do that thing we all know is bad behavior. As I was thinking about kind of tying the one-off experience into all of our product, I kept thinking to myself, why is it that in my mind I keep going back to this thing that I did when I was a little boy, which was when I first learned to ride my bicycle without using the handlebars. Look ma, no hands, right? And that was kind of the feeling I got when I was was going through how one-off brings that experience to the user. And what I realized is while it's maybe not a perfect analogy, it's like look ma, no passwords and that should be the desire the state we get to, it's technology's useful to us, it's productive to us, but it's out of the way and we really aren't thinking, we're not really thinking about security.

(00:38:08):

Security's just done for us.

(00:38:14):

So hopefully you found the content we had today engaging, maybe something we said resonated with you. I want to encourage you to, this is a short conversation. We had a fixed amount of time to unpack all of this. I'd encourage you to reach out to us, let us have a conversation about share us what kinds of things you're struggling with. If we put you through our survey process, where would you excel? Where would you fall short? Unpack all of that for us. Let us see how we can help you bring some solutions to bear through just a simple conversation. We'll get our experts on the line with you and walk through that At this point. I think that unless Ryan, you have anything else you want to mention here at the last minute,

Ryan Rowcliffe (00:39:07):

I'm just excited with our partnership and not to get all product happy, but just seeing that lifecycle all of the components and mapping this all together for reverse securities fabric and then putting Passwordless, I loved your story by the way. Look, ma, no hands, no passwords. I think that is how we actually start achieving our end state is by having that integration across these tech stacks, these product sets that will enable those initiatives to be successful. We specifically target passwordless, but with the security fabric you guys have in place, being able to actually do maybe a privilege on demand or RAAF is actually why should I ever even know the password that's in raaf? Maybe it's just a request and checkout and who knows? Getting people away from having to memorize and 16 character 24, whatever that is. Just to get into a supporting statement.

(00:40:10):

A well-known password cracker is basically saying password cracking is kind of dead. It's no longer a technique. People aren't really trying to jump onto boxes and ram scrape so much or sit there and do password cracking specifically. Why do I need to do that when I can just fish you out and give me access and then I can just take the account That is less work, it's less investment. All these guys are spending their time trying to get as much ROI as possible on their attacks. So they're going to go as cheap and fast as possible just like any other business is going to go. And that is what we're fighting against, and I think having that fabric all together enables an extreme amount of capability and functionality for identity and access management environments. Sorry, you opened the door all ran.

Bryan Christ (00:41:00):

No, yeah, no, I did. Yeah, thanks. No, appreciate it Ryan. So I think at this point, David, maybe back to you for some q and a.

David Davis (00:41:12):

Absolutely, yeah, we got a lot of great questions coming in from the audience. Thank you everyone out there and of course, thank you Brian and Ryan for the excellent education here on passwords and obviously there's a lot that I think the audience still needs to understand based on the volume of questions out here. So I'm just going to go ahead and start with, it's hard to know where to start, but I'm going to start with this one from Matt who says, what are your thoughts on this? New guidelines on not forcing periodic password changes unless there's a reason to believe there was an active compromise.

Bryan Christ (00:41:54):

Ryan, you want to tackle that one?

Ryan Rowcliffe (00:41:57):

I can somewhat agree with that new position and specifically because if we do deploy things such as Hypr, then password changes actually start getting reduced and not really having to apply. I would kind of take it one step further. If we were to play the whole story out, users shouldn't have to change passwords because we believe they shouldn't have to have a password anymore and we should be using a different authentication method. But this kind of ropes back to the legacy system topic where there are some things I will specifically bring out as four hundreds and mainframes that don't have the ability to actually handle anything other than an eight character password that is basically in that system. And we have to look at our attack surfaces and make decisions, and this is where I think Brave Safe just stands out, put password this in front of Brave Safe and then have RAAF manage that password and maybe it should be rotating more often than waiting for the attack. So I'll argue NIST on that one because that could just constantly rotate and it doesn't matter. It is abstracted away from users. It's not even a password management for the user, it's now system oriented generated and managed. Now that can be open for debate that to my view of the topic though, I don't know Brian if you're,

Bryan Christ (00:43:18):

Yeah, so share some similar thoughts with you there. Remember this is fundamentally, if we go back to the statistics that Ryan brought up out of the Verizon report, fundamentally the human is the weakest link in all of this. So whether I'm using something like baf, and again, we're talking really about legacy systems here, you've got to still have a password in those, whether you're talking about something like Vera Safe where it's effectively stashing the password and then you're just going to put that into whatever system or whether you're talking about Vera privilege, which is much more advanced and can randomize a S 400 passwords or rack F mainframe passwords and change 'em periodically. At the heart of all of this is ensuring that the end user never knows the password. I can't socially engineer something out of someone that they don't know. Period. End of story. You could water torture me and if I don't know the password, I can't give it to you. And so that's really what's at the heart of this.

David Davis (00:44:30):

That's really cool. And I think that goes to this question here from Juliet who's asking, do you have any recommendations for how to handle legacy systems that cannot work with a password? Is there a password manager integrated? Is that Revera safe?

Bryan Christ (00:44:47):

Great question. I'll tackle this one. So we actually are very unique in the market. We grew up in an on-prem world, which means, I'm not going to say every legacy system, but many legacy systems. So I rattled off mainframes, I rattled off ass 400 SAP are typically a difficult target to integrate. A lot of them are on-prem. The go-to solution for this, and I'm going to tell you do both. I'm not here to push anything specifically other than a good solution. Microsegmentation has a purpose, but even better than that, if you use our products like Revera privilege, we have an encrypted connector for mainframes. We have an encrypted connector for as 400 accounts or systems. So we can vault randomize those passwords if it's some system that we can't connect to. Then Revera Safe is the place you go to. You can create crazy long complex passwords and you can do it without the end user ever knowing what they are. They authenticate in again through Vera one-off copy and paste that password into that legacy system and off they go. So it really depends on what you have in mind with legacy, but just understand that in many arenas we can do certain things that our competitors can't do.

David Davis (00:46:21):

Very nice. Yeah, I love that you have every platform covered here. Really, VJ is asking, is the problem a poor human element or too many passwords or are hackers just getting better?

Bryan Christ (00:46:37):

So I think Ryan, I'm going to give you a shot at this one too. I think it's the human element plays a big part of this. Ryan and I were talking before, we kind of chatted last week and we chatted this week and we're seeing the exact same thing, which is companies are realizing that short pastors, and it is crazy to think now that today that an eight character password is considered short, but they're moving that bar up, they're moving it up to 16 characters. And I'm going to tell you, I wish I was doing this live. I would ask for a show of hands, but if I said, how many of you, if you had a 16 character password, would a be able to memorize it? I guarantee you the number of hands would be really low. But let's say you were able to memorize it.

(00:47:26):

What are you going to do when you're asked to change that password? I guarantee this is what you're going to do. You're going to tack a number and an exclamation mark on the end of it period. If I asked you how many people in the room are going to do that, I bet you a good portion of hands are going to go up. They're going to tack a number on it, an exclamation mark or some other character that they like, and then the next time they're going to change that number. It's not a longer going to be a one, it's going to be a two and it's still going to have an exclamation mark on it. It really is. A large part of this is the human element. One of the things that we talk about with Vera Safe is this, and I mentioned it was this, this fear of missing out, I'm going to need this password and immediately the most untimely time, right?

(00:48:08):

Like, oh my goodness, if I can't get into some systems. So in Brave, safe, and I'm not going to spend a whole lot of time on this, but we make Brave, safe available on Mac, windows, Linux, Android, iPhone, fat clients browser extensions, command line tool even works in offline mode. So if you're out in the field and you got to deal with a SCADA device. So we've pretty much eliminated that argument altogether, right? So now if I can authenticate into safe and I don't even have to remember some kind of master password, if I can authenticate in with Provera one-off, there's never a reason that I need to memorize a password period. I've completely, as I was thinking through this conversation today, I said education is focused on dealing with the temptation when it's presented before you to do something bad going, passwordless removes the temptation altogether, right? Wouldn't you rather be there trying to fight against the temptation, but then just eliminate the temptation altogether? Ryan, you want to add anything to that?

Ryan Rowcliffe (00:49:16):

Yeah, in context of the question, are hackers getting better? It's getting more automated. The barrier of entry is much lower. Services are now out there available for you to spend a couple hundred dollars and it will automate on an attack. So are they getting better? No. They're getting more busy business savvy and finding ways to deliver something at a much higher speed. There is still some serious techniques in which users are applying. I mean, you do have to do investigations. You do have to navigate. Once again, apologies on the Uber story, but they did start with a ransomware attack there. They got credentials out through that ransomware or malware and then somebody bought them. So they had to spend the time to go on the dark web, buy those credentials, and then they went and validated 'em. Then they had to find the actual user who was associated to those credentials and then specifically target that individual when they didn't get the easy push accept, and then they had to convince them to accept that push notification.

(00:50:23):

So I mean these steps all add up. It's and persistence and it's a low bar of a technical hurdle, but it is still a technique that has to be applied. So I think the technical hurdles are getting lighter. I think services and components are making it more viable for, I guess the temptation as you described it, Brian, to be tempting to actually make a business in this vector. It's only going to get wider. It's only going to get more spread. There's more systems coming on every day. There's more accounts coming on every day. There's more users, there's more passwords. It's going to perforate and it's going to continue to expand until we actually start solving the problem and not kind of putting band-aids over the top. Historically, our industry has put band-aids, we layer and layer and layer and we never got to the root, right? So we've been treating the symptom, not the disease in my opinion.

David Davis (00:51:20):

Very well said. Well said. Here's a good question for you. Brian Bash is asking, would your Passwordless product also enable risk-based authentication or support it?

Bryan Christ (00:51:33):

Yes. So basically all of the products in the reverse security fabric have a mechanism for assigning risk to user populations, to entitlements, and we can do dynamic things. I mentioned, remember I said at the very beginning, I didn't say that reliance on the perimeter was bad. I said over reliance or heavy reliance on the perimeter was bad. So I mean, I would never tell anybody, don't throw up firewalls and don't throw up. Endpoint would never advocate for that. But we can do things like look at whether they're on network or off network, and we can challenge 'em in different ways. So we might decide to supplement something like one off with yet another factor of authentication, or maybe we get more aggressive at how often we ask them. So when they go to, let me give you an illustration and prefer a privilege, which is designed to vault the keys to the kingdom.

(00:52:44):

In a lot of cases, you don't want that product to get in the way. And so they request access to some root account or administrator account and it's checked out and they do their work and it gets checked back in and it gets randomized. You really don't want to get in their way. We could look at a risk score and say, you know what? This time we're going to actually ask a human being to approve that request. So routed to their manager or someone in IT security. So yeah, absolutely risk scoring both user populations as entitlements is supported in our products.

David Davis (00:53:21):

That seems very smart. Here's a good question from Paul who wants to know, do Passwordless options negate or minimize the need to rely on password managers for traditional passwords?

Bryan Christ (00:53:35):

I could take that one. Or you, Ryan? Either one. I think it could go start off.

Ryan Rowcliffe (00:53:40):

I think we've been kind of addressing it in conversation, right? There are, I think password managers have a place today because we can't snap our fingers and have everybody passwordless tomorrow. So we need a bridging technology to get there. And I think rera Safe is a perfect example of that. Bridging technology meeting the needs of anything in which cannot be driven to pastor list today. It could be legacy, it could be a couple other things. So I think that password managers have their place, preferably in my pipe dream world would be that they go away, but I think that's years and years down the road because how expansive this problem is.

Bryan Christ (00:54:25):

And Brian, you can add, yeah, no, it's spot on. I think we can all visualize what that looks like to have a truly passwordless experience. But I see this in a lot of verticals and I hate to keep picking on things like mainframe, but they're not going anywhere. I talk to these verticals that have these kinds of systems and you say, were these going to go away anytime soon? And the answer year after year after year is, yeah, we're eventually going to get rid of it, but they keep propping these systems up and they're critical infrastructure. So yeah, it's not going away. And so a tool like RAAF absolutely has a place in this world and it's going to continue to have a place. That's what I wanted to be is realistic upfront in this presentation is say, Hey, look, get rid of passwords wherever you can, and there's a lot of low hanging fruit for that, especially with one-off. But be realistic and recognize that there are other strategies you're going to have to employ for these legacy systems. You're just not going to get rid of them, not overnight.

David Davis (00:55:35):

Okay, good. This is probably a question we could do a whole webinar on, and we've only got a few minutes left, but they're asking, could you give us an example of how Passwordless works? How do we know who the user really is? And while it would be great to have no password, can't these other methods that we're authenticating them with also be hacked?

Bryan Christ (00:55:59):

Ryan, I'm going to let you do that one.

Ryan Rowcliffe (00:56:01):

Yeah, I mean the initial enrollment, it comes in, and I'm going to do this in a more holistic kind of passwordless way. Initial enrollment does mean that there has to be some trust anchor in place in the initial enrollment of Passwordless, and that trust anchor could be, in a consumer use case, it would be a KYC flow, kind of like what you do with your banking, where you have to validate with your driver's license passports or something to prove your identity. Another trust anchor could be that you're within your enterprise and you already have some components in place today, passwords or anything of that nature, which allows for an easy enrollment. You already have an identity posture in your environment. There is a level of trust within that environment. You can leverage that to do the initial enrollment of passwordless, and then the identity is now bound through that capability. So through that enrollment process going downstream, I think there was a second part to that question.

David Davis (00:56:59):

The question was, yeah, can't these other methods of authentication also be hacked?

Ryan Rowcliffe (00:57:05):

Yeah, we can also base our foundation on if it can be plugged into a wall and it's connected, it could be hacked. And we do have to plan our strategy and security models with that in mind, with the initial enrollment. There are other things, and I think the BEVERA security fabric helps with this. So we mix all of these together. The risk, the enrollment process, all of those together can increase the confidence for an organization in that enrollment process because there's more insights. It's not just a, Hey, here's an enrollment and we have no idea. We're just trusting who you are by you stating it, it's going to be validated and confirmed with internal resources, whether it be HR systems, whether it be an internal directory, whether it be any other component that's coming out of the fabric, and that's how you get that confidence in initial trust in enrollment process.

(00:58:00):

Other factors of being hacked. I mean, when we look at passwordless, that flow consists of you either scanning a QR code or getting a message on your phone, but you do have to execute a biometric which stays native to the device and does not fall back. So I think a lot of technologies have seen the kind of device enforcement with biometrics, which basically just falls back to the passcode using a technology like Hypr that's wrapped with Fido. It is enforced. You cannot fall back from your biometric enrollment, you cannot fall back from what you enrolled in. You have to use that for an authentication event or it is invalid. So those type of layers help protect that private key during the enrollment. And when we think about other forms being hacked, I will say that yes, SMS could be hacked. It's been exploited over and over again, whether it be through SIM swaps, whether it be through the fact that the SS seven network's been compromised are simple as just social engineering and phishing push notifications.

(00:59:05):

Obviously push fatigue is a big one. We can look at even goal of fashion hard tokens with rotating pins. If we want to date ourselves with the RSA secure ID credit cards that we used to have, if you can enter that into a webpage that can be compromised through a reverse proxy. So that's why looking at getting all of that disconnected and using either Fido two or Bever one-off, these are all techniques that mitigate all of those attack vectors. And this is the reason why the OMB released guidance in their zero trust architectures to use phishing resistant MFA. So that is the, not only is it phishing resistant, but there is a lot of additional security wrapped into those techniques. Now, you could ask me this question in 10 years, and I can say that there might be a new technique and a way to fight that somebody has been able to find to apply to these things, but this is also based off of industry standards, not just a vendor, which I think is really critical about this journey for the industry.

David Davis (01:00:03):

Excellent.

Ryan Rowcliffe (01:00:03):

Open a question. I rant. I apologize.

David Davis (01:00:06):

No, that's okay. That's very educational, very fascinating. I know, like I said, we could do a whole event on that topic as well as, I mean, there's 50 plus other questions. I'm afraid we didn't have time to get to on today's webinar. Obviously there's a lot of interest in this and a lot of questions and education still needs to be covered. So Brian and Ryan, I learned a lot on the event today. I know the audience did as well. I'm afraid that we're out of time though. Thank you so much for your expertise. I really appreciate it.

Ryan Rowcliffe (01:00:36):

Thank you. Thank you. It was a good hanging out with you.

David Davis (01:00:41):

Absolutely. And thank you to our friends, of course at Hitachi, ID Bravero, security, as well as Hypr for joining us on the event today and supporting today's event. Before we go, I do want to encourage everyone to check out the handouts tab. It's there that you'll find some great resources on today's topic. Make sure that you download the state of authentication and the finance industry report and check out the other two resources there. I encourage you to book a deeper discussion with Revera and Hypr to learn more about these technologies and how they can help to better secure your company and your company's crown jewels. Before we go, I want to announce the winner of our Amazon $300 gift card. This is going out to Edward Mullins from North Carolina. Congratulations. We'll reach out to you as well as our best question prize winner as well. Thank you to everyone who joined us on the webinar today. Have a great day and we'll see you next time. Bye-bye.