“Bringing everything into one place and integrating different tools enables organizations to better use the power of their entire security ecosystem, creating a more cohesive and cost-effective defense that minimizes risk,” says Tom “TJ” Jermoluk, CEO, Beyond Identity, in an exclusive interview with ITSecurityWire.
ITSW Bureau: What are the challenges enterprises encounter with security solutions based on passwords?
TJ: Passwords are a fatally flawed method of authenticating users and are the root cause of the vast majority of breaches. The Verizon 2021 Data Breach Investigations Report found that 97% of web-based application attacks and 61% of data breaches over the last year involved login credentials, and the website haveibeenpwned currently lists more than 11 billion compromised accounts.
An entire criminal economy has formed around the theft of passwords, with criminals specializing in stealing credentials and then selling them to other threat actors over dark web forums. These stolen passwords are then used in account takeover and ransomware attacks.
Attackers have grown increasingly adept at tricking victims into sharing their login details via social engineering over the phone or via phishing emails. A brute force approach can often skip out the middleman, particularly when users have passwords that include common words (e.g., sports teams, birthdays or children’s names) or when they reuse credentials across multiple sites.
Prevailing wisdom around passwords in recent years has advised longer and more complex choices that are changed regularly. But it doesn’t matter how long or strong a user’s password is if they are phished or stolen by adversaries-whether it’s four characters or forty, it weighs the same as the phishing software.
ITSW Bureau: How can CISOs increase the confidence of the board members to adopt password-less solutions?
TJ: There is some confusion around what a “passwordless” solution actually is, and the term is often used incorrectly. Many might consider password managers such as Last Pass or browsers like Chrome which auto-fill credentials to be passwordless. This means business leaders may already assume their organization is using passwordless technology.
However, these kinds of solutions only make password use more convenient by taking away the need for users to constantly re-enter their details. The password still exists and if a cybercriminal steals it, the result can cause significant financial loss.
A real passwordless solution means eliminating the password, which also eliminates the risks that go with it. This means replacing the password with another, much stronger form of security, such as asymmetric encryption used in Transport Layer Security (TLS) – recognized by users as the lock in the browser window.
However, just having a high level of security alone is not enough to win over the board. A passwordless solution, which effectively acts as the front door to a users’ digital assets, needs to be highly available. The solution also needs to be easy for the organization to deploy and use.
The best way to achieve this is to integrate passwordless security with tools the organization has already invested in – for example a single sign-on (SSO) solution used to manage access to multiple applications. This means all organizations can immediately benefit from the added security without requiring users to learn a new solution.
ITSW Bureau: What trends do you expect will transform passwordless solutions?
TJ: One of the biggest trends in security right now is the convergence of identity management and security solutions. Bringing everything into one place and integrating different tools enables organizations to better use the power of their entire security ecosystem, creating a more cohesive and cost-effective defense that minimizes risk.
This is particularly important with the new, more open environment created by a heavily remote workforce. Integrating passwordless technology with other security investments, particularly with identity, mobile device and endpoint management solutions will make it easier to keep remote workers secure, regardless of their location and device.
Passwordless solutions are very much a part of this convergence, helping to protect the entire security infrastructure by removing the risk posed by passwords.
CISOs are anticipating a greater awareness of passwordless security soon as more businesses discover they can stop a significant number of attacks by replacing passwords with something much more secure.
A longtime collaborator with Jim, TJ has served as President and COO of Silicon Graphics, Inc., Founding Chairman and CEO of @Home Network, General Partner at Kleiner Perkins, CEO of Hyperion Development Group, and founded nine companies, including Beyond Identity, HiCMOS, AOptix, and SmartPipes. TJ attended Virginia Tech.