Interview: J Wolfgang Goerlich, Advisory CISO, Duo Security (Cisco)

Back in September, Gartner detailed its top eight security projects for the coming year. Among those was the concept of passwordless authentication, where a second factor such as a known asset like a phone, tablet, keyfob or smart watch can be used instead of a password.

“Complete elimination of passwords is still far off and we will ultimately never get rid of passwords, but there are a number of innovative approaches that we can take to turn static passwords from a liability into something that can be an asset,” said Gartner analyst Brian Reed.

A few days later, Infosecurity attended a press conference featuring speakers from Cisco Duo, where the subject of passwordless was addressed once again. Speaking there was advisory CISO J Wolfgang Goerlich, who said. while we have to wait for “robots and flying cars,” he could see a world with reduced reliance on passwords.

He said the consumer typically drives the experience and consumerization has enabled users to become more familiar with the technology they use. In particular – citing Cisco statistics – Goerlich said the average user has 191 passwords, “so the ability to move off of those is something we’re very excited about.”

According to the recent Cisco Duo Trusted Access Report 80% of mobile devices being used for work have biometrics configured, a rise of 12% over the past five years. Also, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.

The announcement on SMS authentication, and two-factor authentication specifically, was raised in a recent story, where Microsoft reportedly asked users to abandon 2FA tools that still use SMS and voice calls, in favor of more modern security technology.

“The culture is there, the technology is there and standards are there”

Speaking to Infosecurity, Goerlich cited a talk at the 2004 RSA Conference, where Bill Gates said that the password is dead, and Goerlich commented that “16 years later we’re still trying to kill it.” He said that to enable a passwordless strategy, you need both the equipment and technology to enable it, but mostly you need “to have momentum in the organization and a reason to do it.”

However, now that everyone carries a biometric authenticator in their pocket, has hardware in place and given the fact that security wants to enable users, why do passwords still exist? “The culture is there, the technology is there and standards are there,” Goerlich said.

In particular, he praised the introduction of standards to enable this move, specifically WebAuthn and the FIDO Alliance, which he said changed the narrative and paved the way for the web apps we all use.

So how well have passwordless strategies been adopted? Goerlich said there are CISOs who say they want to support this, but while most apps will offer a passwordless login, there are still some legacy apps that do not. These include  “core business banking or legacy apps that have not updated the authentication stack,” he said, as often they cannot support a longer password “as legacy technology doesn’t support it.”

He said this is common in banking and financial services where there is legacy technology, and support for that has been in place for decades. “When you think about passwordless authentication, the conversation is on specific use cases where you aim to reduce the number of passwords to remember and enter, rather than completely eliminating them,” he said.

Asked about the biometrics take up factor, and if it is enabling passwordless, Goerlich said it is, but the caveat is that “on the security side, a lot of us were burned in the early days as it was easy to bypass.” He referenced being able to access a data center with gummy bears, and even when Apple’s TouchID was broken a short time after it was introduced in 2013.

“The reason why I’m bullish and positive on the future of biometrics is because passwordless is authentication with a single strong factor, and it allows you to authenticate to a phone and having biometrics is the strong factor,” he said.

On the consumer side, could he see this being embraced by wider society? He said it depends on how much users can trust a passwordless solution, and how easy it is to be used. “The question is on behavioral economics, and how to make passwordless the default choice,” he said. “Rather than new usernames and passwords, we now use social credentials and Google or Facebook to login, so if you can support social logins and passwordless, you keep more customers.”

He concluded by saying that increasing trust in authentication is vital for passwordless to succeed, as today’s good factor is bypassed tomorrow. 

What’s Hot on Infosecurity Magazine?