DENVER — The cybersecurity industry may finally be on the cusp of meaningfully moving beyond passwords, as up-and-coming technologies promise a more secure authentication experience without causing user friction, according to cybersecurity veteran Jim Routh.
Routh, who has served in CSO/CISO positions at companies including MassMutual, CVS, Aetna and American Express, said at the CyberRisk Alliance’s Identiverse Conference this week that the number of passwords individuals use to access accounts is growing untenable, resulting in unsafe behaviors — and it’s past time to do something about it.
“We have passwords that are ubiquitous that we're using across all sorts of digital assets. They're growing in obsolescence and that growth is happening daily,” Routh remarked. “And so as identity professionals in cybersecurity, we have to change the authentication capability. And that's really needs to be more of a mandate for us, as practitioners, to move to something with low friction and high security, which is possible today.”
“We have choices to do that and make it pay for itself in these economic times,” Routh continued, calling for security professionals to step up. “I think we have a lot of choices and options that we never had before,” specifically citing the rise of passwordless technology, which today includes such options as biometrics, magic links and hardware-based authentication.
“Passwords have served the enterprise really well for 60 years," Routh continued. But “when you have 200 or more digital assets that you have to put a password in, you can't manage that.” Fortunately, “there's technology today that allows us to remove friction so that it enhances the digital experience for consumers. It eliminates account takeover. Eliminates it. So threat actors can't do anything about that. And the irony is, it's a lower cost of operating, which in today's economic conditions is really important.”
And speaking of savings in operating costs, emphasizing those kind financial benefits is a great way to secure upper executive buy-in and support of future identity management implementations.
“You can reduce operating costs … and in some cases, gain revenue and market share … all by replacing passwords with passwordless options, and you’ve got a lot of choices to do that today,” Routh continued. “Really, there's no better time than in these economic times [to] roll it up the flagpole … I guarantee that your CFO, your CIO and your CEO are going to [want to] learn more about that.”
Are passwords on their way out?
The idea of a frictionless, secure identity experience was music to the ears of fellow Identiverse panelist Nicole Dove, head of security at game developer Riot Games.
“As a security leader, I’m not only thinking about player experience, but [I’m] also thinking about user experience,” said Dove. “So I think it's a big part of essentially where we need to pivot in this industry. … I love the idea that [just because] we increase security does not mean that we increase friction.”
There was, however, some dissent among the panelists in terms of predicting the password’s demise would happen anytime soon.
“I kind of like the password,” admitted panelist Sean Zadig, vice president and CISO at Yahoo. “I think ultimately long term it’s going to … go away. But right now, our users expect the password — and we've tried to get rid of that in the past, and we've faced extreme reluctance to do that. So I think it's here to stay for a while.”
There’s a downside to that for Yahoo, though: “The problem, of course, is that our attackers, they really focus heavily on taking that password,” said Zadig.
So if passwords are going to stick around for a while, there at least need to be ways to enhance their security, Zadig added. “So how can we make the best use of it now? We combine it with … multifactor.” Also, organizations can add more layers of verification for certain high-risk actions, to create “sort of a sliding continuum of authentication [and] authorization.”
But Routh held firm in his belief that eventually, businesses will need to embrace passwordless.
“Sean may be right that passwords are going to linger for a while. But my view is: When threat actors like the control better than the end user likes the control — in this case, passwords — maybe it's time to change.