The Journey to Passwordless Authentication w/ Derly Gutierrez

With us today is Derly Gutierrez, Head of Security at 1010 Data, and veteran. Derly is here with us today to talk about the journey to passwordless authentication and the flaws and strenghts of today's authentication methoods.

Allan and Derly refer to studies and surveys about the problems with passwords and the challenges of implementing passwordless approaches.

Derly emphasizes the need for other complementary technologies such as Role-Based Access Control (RBAC), Privileged Access Management (PAM), and system-to-system communications.

The two discuss corporate and personal use of passwordless solutions, talk about legal precedence and the future of passwordless approaches.

Key Takeaways

1:14 How Derly got into cyber
1:58 About Derly's day job as Head of Security
2:34 Allan quotes the 2017 Verizon DBIR on how many breaches involve weak or stolen passwords
3:35 Allan cites NIST 800-63b
4:15 Derly talks about CAC cards in the US DoD
4:50 Derly sides with vendor innovations over NIST guidance
5:56 Allan clarifies the distinction between PINs and passwords
6:52 Derly points out the flaws with biometrics in terms of reliability and assurance
9:09 Allan cites a survey regarding WHY organizations choose passwordless
9:52 How many 'passwordless' solutions still include shared secrets
10:38 Derly talks about corporate vs. personal passwordless solutions and shared secrets as backup for reliability issues
11:37 Derly emphasizes a lack of RBAC and PAM foiling all authentication approaches
13:06 Allan points out the value of Identity and Access Management solutions
13:44 Allan references three vendor approaches towards passwordless for legacy systems such as RADIUS
14:50 Derly takes these methods apart
16:05 Many companies are not doing Role-Based Acces Control, system-to-system communication and Privileged Access Management correctly
17:02 Allan brings up the presence of push attacks
17:38 Allan's definiton of true passwordless authentication
17:56 Derly's definition of true passwordless authentication
21:29 For personal use of biometrics, Allan brings up a disturbing precedent of law enforcement accessing an individual's phone with forced facial recognition
23:17 Derly emphasizes that applications on your phone should have a different authentication factor than access to the phone itself
23:47 "Your home is your castle" has become "Your phone is your castle"
25:06 Allan cites one last survey as to how many of us really are passwordless
26:02 How long before we got to passwordless?
28:06 What keeps Derly going in cyber

Links:

Learn more about Derly on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius